In the News
Stay up-to-date with Nozomi Networks on and
Though the energy industry and regulators are looking more closely at cybersecurity risks, the shift may not be happening fast enough, said Edgard Capdevielle, chief executive officer of Nozomi Networks Inc. in San Francisco, a company that provides cybersecurity applications for customers including power producers and oil and gas pipeline operators. The industry’s perception is that addressing energy cyber threats “is important, but mañana is OK,” said Capdevielle. “Mañana is not OK.”
Nozomi Networks, a San Francisco-based provider of industrial cybersecurity, has a different approach to culture. As CEO Edgard Capdevielle, a veteran of Data Domain — which EMC bought in 2009 for $2.4 billion — and EMC, explained, “When I joined the company in 2016, we had seven people and seven customers in Italy. Now we are growing from 46 to 67 people and we have a culture that fits our geographically distributed organization. We believe in extreme transparency — sharing all financial results we can legally disclose and high integrity with everybody — employees, customers, partners, and investors. These values build trust with our stakeholders which gives us a competitive advantage.”
Nozomi Networks co-founder and chief product officer Andrea Carcano said: “The supply chain cyberattack that disrupted a chain of natural gas companies serves is yet another reminder that oil and gas organisations are high-risk targets.
To Capdevielle, the air gap is a fallacy that provides a false sense of security. As he put it, “Air gapping does not exist. It is a myth. Most industrial control networks adopted the TCP/IP standard about seven years ago. Before then, they were on a different standard. Once you adopt the TCP/IP standard, there is a gravitational-like force to connect. It’s like saying that one group of folks are not going to talk to another group even though they just learned the same language and they’re intermingling. That just cannot be avoided. With the adoption of TCP/IP, industrial control networks adopted Windows machines as their primary form of control operating system and Windows machines need to be patched and updated.”
WAGO released new firmware to mitigate an improper resource shutdown or release for its 750 Series, according to a report with ICS-CERT. Successful exploitation of this remotely exploitable vulnerability, discovered by Younes Dragoni of Nozomi Networks, could allow a denial-of-service condition affecting the ability of the device to establish connections to commissioning and service software tools.
“The U.S.-CERT alert characterizes these attacks as a multi-stage intrusion campaign to gain remote access into targeted industrial networks,” said Thomas Nuth, director of products and solutions at cybersecurity technology supplier Nozomi Networks. “After obtaining access, the threat actors (i.e., Russian government cyber actors) conducted network reconnaissance to collect information pertaining to ICS. Such behavior is typical of APTs (advanced persistent threats).”
Given that the list of detection and prevention measures provided in the U.S. CERT alert is so extensive, Moreno Carullo, founder and chief technical officer at Nozomi Networks (a supplier of industrial cybersecurity technology), said it’s important for users to realize there is a key technique used to accomplish the type of monitoring recommended by CERT. That technique is hybrid threat detection. “This involves the use of signatures plus behavior-based anomaly detection to identify threats,” he said. “The results are correlated with each other and with operational context, providing rapid insight into what is happening, thereby reducing mitigation time.”
IoT/IIoT concepts have progressed from experimental to mainstream. Now, general IoT/IIoT technologies must compete for a share of IT/OT budgets, which isn’t always easy to do. Businesses and public sectors are implementing general IoT/IIoT systems, but they’re doing so cautiously due to associated cybersecurity concerns and consequences of systems failures, especially at the OT level. Until investment in ICS cybersecurity technology parodies investments in connected and automated systems, IoT/IIoT growth will be challenged.
This US-CERT alert is a milestone. It makes it perfectly clear that the U.S. infrastructure and critical manufacturing sectors, and likely the same sectors in other countries, are under high vulnerability for Russian attacks.
“This alert makes it even more imperative for industrial operators to focus on .their cyber -resiliency measures. Real-time monitoring of ICS systems for anomalous behaviour that provides early warning of activities indicating the presence of an advanced attack is vital to understanding what is happening, the impact and how to mitigate the threat. Such activity could include unusual network connections, unusual communication messages, new or unusual commands from new sources, or new network flows. Furthermore, the presence of known indicators of compromise should be immediately identified by ICS monitoring solutions, giving operators a clear warning to take action on malware in their systems.”