Nozomi Networks Labs

Defending Critical Infrastructure Against Cyber Risk

ABOUT LABS

Nozomi Networks Labs is dedicated to reducing cyber risk for the world’s industrial and critical infrastructure organizations.

Through our cyber security research, and collaboration with industry and institutions, we’re helping defend the industrial systems that support everyday life.

Collaborating to Reduce ICS Cyber Risk

Nozomi Networks Labs is working with a broad range of experts, industry leaders and institutions to improve industrial cyber security.

If you’d like to work together, we’d love to hear from you!

NEW SIEMENS SCALANCE X Switches – Advisory (ICSA-19-225-03)  NCCIC ICS-CERT BLOG

 Research Reports

TRITON: The First ICS Cyber Attack on Safety Instrument Systems, Understanding the Malware, Its Communications and Its OT Payload

How to turn an undocumented ICS device into malicious code, starting from creating a working system and followed by reverse engineering and malware analysis. While the TRITON malware attack failed to deliver a malevolent OT payload to the Triconex controller, our researchers succeeded. Two new tools were released to help the ICS community secure Triconex SIS.

Tools

Radamsa Enhancement, Introducing PCAPNG Awareness

  • Our contribution allows Radamsa to mutate PCAPNG files focusing only on the packets themselves, eliminating the bytes and data structures used by the PCAPNG format itself. It is useful for testing the robustness of protocol stacks, helping to improve the quality of OT-device software.

Threat Advisories

Labs Blogs

An ICS Cyber Security Storm is Brewing: How to Prevent Staff Burnout

Building cyber resiliency puts a lot of pressure on an organization’s security team. It requires specialized knowledge that takes time to develop, and there just aren’t enough skilled cyber experts to go around.

Which begs the question: are the limited number of security experts holding the front lines in danger of burnout – and what can we do about it?
read more

What You Need to Know About LookBack Malware & How to Detect It

On August 1, security researchers at Proofpoint reported the details of spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network. Learn more about LookBack malware and how you can detect it.
read more

Advances in Cyber Security for Electric Utilities: WG15 & Black Hat

As a passionate champion for secure-by-design power grid systems, I’ve been part of WG15, the group defining IEC 62351 standards to enable such systems, for years.

If you’d like to learn about the future of cyber security for electric utilities, I urge you to read this article. It also provides a sneak peek into our related (and groundbreaking!) talk about power system security at Black Hat USA 2019.
read more

Nozomi Networks Labs Enhances Radamsa for Safer ICS Software

Nozomi Networks Labs is committed to conducting cyber security research that makes industrial organizations more secure. Our latest project involves enhancing Radamsa, an open source fuzzing tool for testing software.

Our new code makes it faster and easier to test devices that communicate over industrial networks, such as PLCs and RTUs, for security vulnerabilities.
read more

GreyEnergy Malware Research Paper: Maldoc to Backdoor

When the GreyEnergy Advanced Persistent Threat (APT) was unveiled last year, I decided to put my reverse engineering skills to work and study one of its infection techniques.

Find out about the methods the malware’s packer stage used to conceal its true functionality, plus get access to my full Research Paper, in today’s article.
read more

IEC 62351 Standards for Securing Power System Communications

To help counter the growing concern about cyberattacks aiming to disrupt power systems, industrial experts have been working together in WG15. This group, part of IEC, is defining the standards known as IEC 62351, for secure-by-design power grids. As a member of WG 15 since 2015, I thought it might be helpful to inform you about these standards and provide an update on their status.
read more

Analyzing the GreyEnergy Malware: from Maldoc to Backdoor

GreyEnergy is an Advanced Persistent Threat (APT) which has been targeting industrial networks in Eastern European countries for several years. As a security analyst, I have studied the malware and provide a detailed description of how it works, from the moment that someone receives a phishing email, until the malware is installed in a PC. We also provide the GreyEnergy Unpacker, a free tool for other analysts to use for further analysis of this advanced persistent threat.
read more

OT ThreatFeed

Click to enlarge.

Curated and maintained by Nozomi Networks Labs, the OT ThreatFeed™ provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current ICS risks.

“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”

ANDREA CARCANO & MORENO CARULLO

Co-founders, Nozomi Networks

© 2019 Nozomi Networks, Inc.
All Rights Reserved.