Nozomi Networks Labs: Sharing Valuable ICS Cybersecurity Research

Nozomi Networks Labs: Sharing Valuable ICS Cybersecurity Research

This article was updated on March 3, 2020.

From the very first day we founded Nozomi Networks we wanted the company to be known worldwide for our technical expertise, deep OT knowledge and competency in industrial cybersecurity.

Over the past few years we’ve focused on product development and expanding the team to meet the demands of a rapidly growing market. At the same time, we began to contribute research, tools and responsibly disclosed vulnerabilities to the ICS security community.

We’re pleased to let you know that we’ve now formalized our research efforts, increasing the resources devoted to it and broadening our community engagement. Today we’re introducing Nozomi Networks Labs, whose goal is to help defend the industrial systems that support everyday life.

In addition, we’re announcing that we recently enhanced Radamsa, an open source fuzzing tool, to make it faster and easier to test the security of ICS device software.

ICS Security Research Initiatives Version 1.0

Prior to today’s announcement we could call our efforts “research 1.0”. Our initiatives to-date have included work in these broad areas:

1. ICS Malware Research and Tools – GreyEnergy and TRITON

Over the last year we conducted two significant research projects into malware related to ICS cyberattacks.

For GreyEnergy, we wanted to provide up-to-date information on malware tradecraft and share our knowledge with other security researchers. Our research paper GreyEnergy: Dissecting the Malware from Maldoc to Backdoor, Comprehensive Reverse Engineering Analysis, showed how one of the APT’s components, the packer, effectively disguises itself on infected systems.

We also freely released two tools, the GreyEnergy Yara Module and the GreyEnergy Unpacker, to facilitate further GreyEnergy analysis and contribute to defending critical infrastructure systems in the future.

In conjunction with the Black Hat USA 2018 conference, we released the paper TRITON: The First ICS Cyberattack on Safety Instrument Systems – Understanding the Malware, Its Communications and Its OT Payload. This paper showed that the effort, skills and financial resources needed to create the TRITON malware weren’t that high – certainly not at the level where nation state-sponsored resources were required.

We also freely released two tools, the TriStation Protocol Plug-in for Wireshark, and the Triconex Honeypot Tool, to help the ICS community secure Triconex SIS.

2. Responsible Disclosure of ICS Vulnerabilities

Additionally, in the last 12 months, our security research team made more than a dozen responsible disclosures, which so far have resulted in eight industrial control system advisories being issued by NCCIC.

Successful exploitation of any of the vulnerabilities could result in safety incidents, downtime or loss of production. By making asset owners aware of these vulnerabilities through ICS-CERT advisories, we hope they will take remediation or mitigation measures, thereby reducing their cybersecurity risks.

“ICS vulnerabilities aren’t limited to a single vendor – any device can contain a vulnerability that adds risk to an organization. This is why following a process to regularly assess and prioritize vulnerabilities across your critical assets is important for maintaining a good security posture.

Also, knowing what your critical assets are communicating with and how they’re connected is essential to reducing risk. Most of the critical ICS vulnerabilities we’ve identified were exploitable through the network and could have easily led to downtime incidents.

Nozomi Networks Labs continues to investigate device vulnerabilities and make our information available through responsible disclosure processes.”

Moreno Carullo, Co-founder and CTO, Nozomi Networks

3. Developing Secure Communications Standards: IEC 62351

Many industrial systems use communication protocols with zero or simple security protections, including the electric power industry. In this case, protocols have been optimized for bandwidth and efficiency, not cybersecurity.

To help counter this problem, in the early 2000s IEC Technical Committee 57, a group devoted to power system management standards, started working on ways to make power grids secure-by-design. Working Group 15 (WG15) was formed to evaluate the requirements from a technology perspective, and define a standard way to implement them.

I (Moreno) have been a member of WG15 since 2015, and have contributed to the development of IEC 62351 standards, particularly sections related to power system monitoring. For an update on this work, read my recent blog.

4. Updates to Threat Intelligence

Nozomi Networks Labs curates and maintains the Threat Intelligence – a subscription service that is fully integrated into Guardian. The Threat Intelligence helps customers identify threats and vulnerabilities in their environment by providing context in the form of IDS signatures, Yara Rules, STIX indicators, vulnerability signatures, and more.

ICS Security Research Initiatives Version 2.0: Introducing Nozomi Networks Labs

With the introduction of Nozomi Networks Labs, we will continue to work in the areas outlined above, but will also draw on the expertise of our entire staff and the broader cybersecurity community. This community includes:

  • ICS and IT staff at our client organizations
  • Strategic partners working in the areas of threat intelligence and ICS data analytics
  • Universities and other institutions doing research in areas related to cybersecurity risk
  • Individual security researchers interested in collaborating on research initiatives

Our goal is to contribute in many ways to improving OT security for the entire community, beyond the work we do as a commercial enterprise.

Defending the Industrial Systems that Support Everyday Life

Whether you’re wondering:

  • What is the future of ICS security?
  • What are the best ways to efficiently reduce industrial cyber risk?
  • What threats and vulnerabilities are present in my industrial network right now?
  • How do I stay up-to-date on security standards?
  • Where can I get free tools for further malware analysis?

We hope you’ll find helpful answers and resources in Nozomi Networks Labs.

Through our ICS security research, and collaborations with industry and institutions, we aim to help defend the systems that support everyday life.

To access all our research, visit the Nozomi Networks Labs webpage. If you’re interested in working with us on Labs projects, please contact us.