This article was updated on August 5, 2019.
From the very first day we founded Nozomi Networks we wanted the company to be known worldwide for our technical expertise, deep OT knowledge and competency in industrial cyber security.
Over the past few years we’ve focused on product development and expanding the team to meet the demands of a rapidly growing market. At the same time, we began to contribute research, tools and responsibly disclosed vulnerabilities to the ICS security community.
We’re pleased to let you know that we’ve now formalized our research efforts, increasing the resources devoted to it and broadening our community engagement. Today we’re introducing Nozomi Networks Labs, whose goal is to help defend the industrial systems that support everyday life.
In addition, we’re announcing that we recently enhanced Radamsa, an open source fuzzing tool, to make it faster and easier to test the security of ICS device software.
ICS Security Research Initiatives Version 1.0
Prior to today’s announcement we could call our efforts “research 1.0”. Our initiatives to-date have included work in these broad areas:
1. ICS Malware Research and Tools – GreyEnergy and TRITON
Over the last year we conducted two significant research projects into malware related to ICS cyberattacks.
For GreyEnergy, we wanted to provide up-to-date information on malware tradecraft and share our knowledge with other security researchers. Our research paper GreyEnergy: Dissecting the Malware from Maldoc to Backdoor, Comprehensive Reverse Engineering Analysis, showed how one of the APT’s components, the packer, effectively disguises itself on infected systems.
We also freely released two tools, the GreyEnergy Yara Module and the GreyEnergy Unpacker, to facilitate further GreyEnergy analysis and contribute to defending critical infrastructure systems in the future.
In conjunction with the Black Hat USA 2018 conference, we released the paper TRITON: The First ICS Cyberattack on Safety Instrument Systems – Understanding the Malware, Its Communications and Its OT Payload. This paper showed that the effort, skills and financial resources needed to create the TRITON malware weren’t that high – certainly not at the level where nation state-sponsored resources were required.
2. Responsible Disclosure of ICS Vulnerabilities
Additionally, in the last 12 months, our security research team made more than a dozen responsible disclosures, which so far have resulted in eight industrial control system advisories being issued by NCCIC.
Successful exploitation of any of the vulnerabilities could result in safety incidents, downtime or loss of production. By making asset owners aware of these vulnerabilities through ICS-CERT advisories, we hope they will take remediation or mitigation measures, thereby reducing their cyber security risks.
“ICS vulnerabilities aren’t limited to a single vendor – any device can contain a vulnerability that adds risk to an organization. This is why following a process to regularly assess and prioritize vulnerabilities across your critical assets is important for maintaining a good security posture.
Also, knowing what your critical assets are communicating with and how they’re connected is essential to reducing risk. Most of the critical ICS vulnerabilities we’ve identified were exploitable through the network and could have easily led to downtime incidents.
Nozomi Networks Labs continues to investigate device vulnerabilities and make our information available through responsible disclosure processes.”
Moreno Carullo, Co-founder and CTO, Nozomi Networks
3. Developing Secure Communications Standards: IEC 62351
Many industrial systems use communication protocols with zero or simple security protections, including the electric power industry. In this case, protocols have been optimized for bandwidth and efficiency, not cyber security.
To help counter this problem, in the early 2000s IEC Technical Committee 57, a group devoted to power system management standards, started working on ways to make power grids secure-by-design. Working Group 15 (WG15) was formed to evaluate the requirements from a technology perspective, and define a standard way to implement them.
I (Moreno) have been a member of WG15 since 2015, and have contributed to the development of IEC 62351 standards, particularly sections related to power system monitoring. For an update on this work, read my recent blog.
4. Updates to OT ThreatFeed
Nozomi Networks Labs curates and maintains the OT ThreatFeed – a subscription service that is fully integrated into Guardian. The OT ThreatFeed helps customers identify threats and vulnerabilities in their environment by providing context in the form of IDS signatures, Yara Rules, STIX indicators, vulnerability signatures, and more.
ICS Security Research Initiatives Version 2.0: Introducing Nozomi Networks Labs
With the introduction of Nozomi Networks Labs, we will continue to work in the areas outlined above, but will also draw on the expertise of our entire staff and the broader cyber security community. This community includes:
- ICS and IT staff at our client organizations
- Strategic partners working in the areas of threat intelligence and ICS data analytics
- Universities and other institutions doing research in areas related to cyber security risk
- Individual security researchers interested in collaborating on research initiatives
Our goal is to contribute in many ways to improving OT security for the entire community, beyond the work we do as a commercial enterprise.
Defending the Industrial Systems that Support Everyday Life
Whether you’re wondering:
- What is the future of ICS security?
- What are the best ways to efficiently reduce industrial cyber risk?
- What threats and vulnerabilities are present in my industrial network right now?
- How do I stay up-to-date on security standards?
- Where can I get free tools for further malware analysis?
we hope you’ll find helpful answers and resources in Nozomi Networks Labs.
Through our ICS security research, and collaborations with industry and institutions, we aim to help defend the systems that support everyday life.
- Press Release: Nozomi Networks Expands ICS Cyber Security Research with Labs Launch
- Webpage: Nozomi Networks Labs
- Blog: Nozomi Networks Labs Enhances Radamsa for Safer ICS Software
- Research Report: GreyEnergy: Dissecting the Malware from Maldoc to Backdoor, Comprehensive Reverse Engineering Analysis
- Research Report: TRITON: The First ICS Cyberattack on Safety Instrument Systems – Understanding the Malware, Its Communications and Its OT Payload
- Blog: Black Hat: Understanding TRITON, The First SIS Cyberattack
- Blog: IEC 62351 Standards for Securing Power System Communications
- Webpage: OT ThreatFeed
Co-Founder and Chief Product Officer
Andrea Carcano, an expert in industrial network security, advises governments, industrial operators, security partners and industry organizations on ICS cyber security strategies and best practices. He holds a Ph.D. in Computer Science focused on critical infrastructure security, and has authored multiple academic papers on ICS malware attacks and advanced attack detection techniques. As Founder and Chief Product Officer at Nozomi Networks, Andrea and his team are defining a new generation of ICS security solutions that detect complex intrusions to critical infrastructure control systems.
Co-Founder and Chief Technical Officer
Armed with a Ph.D. in Artificial Intelligence and an extensive background in systems engineering and software development, Moreno Carullo has led the way in redefining the ICS cyber security product category. A long-time member of the IEC TC57 WG15 subcommittee, he is also actively working to shape cyber security standards for power system communication protocols. As Founder and Chief Technical Officer at Nozomi Networks, Moreno leads an exceptionally talented software development team that uses agile development to quickly address the cyber security requirements of enterprise customers and partners.