• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 

LameHug: first AI-Powered malware linked to Russia’s APT28

 | 

5 Features Every AI-Powered SOC Platform Needs in 2025

 | 

Broadcom patches critical VMware flaws exploited at Pwn2Own Berlin 2025

 | 

Stormous Ransomware gang targets North Country HealthCare, claims 600K patient data stolen

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • SCADA Sssh! Don’t Talk, Filter it

SCADA Sssh! Don’t Talk, Filter it

Pierluigi Paganini November 10, 2016

The effects of cyber-attacks against SCADA/ICS are well known, however, there is a great confusion when dealing with mitigation techniques.

The Majority are aware of the impact cyber-attacks can have on Industrial Control Systems however, the reality in terms of mitigation techniques are shrouded with confusion and a reactive approach. Recent 0-day vulnerability dubbed as ‘Panel Shock’ found in Schneider Electric’s SCADA Human Machine Interface (HMI) device panels send ripples of fear and doubts in the industry; somehow dirty linen has been exposed again.

The media generally refer to all Industrial Control Architectures as SCADA and to avoid autocratic debates with various security voice groups we will continue this trend. It is not difficult to map the behavior classification of SCADA attack patterns by observing recent campaigns such as Havex, Black Energy and Stuxnet etc. In these attacks, the malware was mostly distributed by Phishing attacks aimed at executives not on the ICS network and Watering hole attacks on ICS vendor software delivery websites.

Assessing the Threat

No golden rules exist of how to assess the threat, however, the question that is queried most is ‘where do organizations initiate to assess the threat’? Within RSA Advanced Cyber Defence Practice we follow the domains/ framework to assess and formulate responses to ICS/SCADA threats.

scada-1

In our forthcoming blog with Gareth Pritchard (Advanced Cyber Defence Consultant EMEA) and Peter Tran (Snr Director Advanced Cyber Defense at RSA blog site https://blogs.rsa.com/ will be a detailed analysis on each domain.

For today’s article, I want to focus on the element of ‘filtering the white noise ‘

One of the core failures of SCADA-based organizations is their inability to filter white noise by dissecting incidents through the combination of hunting, intelligence gathering, and incident attribution. They fail to build a ‘proactive’ customized Use Case library that is required to detect specific and tailored threats targeted at the company. One of the suggested strategies could be a hunt and response strategy i.e.

scada-2

1)        Develop: UseCase Development Strategy

  1. Initial UseCase development. Create tailored use cases from theory, practice and experience to detect the top; imminent, perceived or previously detected threats affecting the company. For example ICS – UseCase #1 “Unusual/Unplanned OPC Scan”, ICS – UseCase#2 “Suspected C2 communication”, IDS via Emerging Threats
  • i Analysts respond to the alerts generated from the new Use Cases.
  • ii Intelligence teams add context and if possible attribution to the detected threats.
  • iii Content Engineering teams tune use cases from analysis, attribution and context.
    • Analysts respond to the alerts generated from the tuned Use Cases.
  • Engineering and Intelligence: Detect & Collect threat data to support additional UseCase development

Develop tailored metrics / reports to detect current threats based on real world network data.

i)        Report 1: Critical Anomaly

  • Develop metric reports to display anomalous traffic patterns occurring on critical systems via whitelisting expected traffic and displaying the remaining traffic from these devices on a pre-developed reporting template.
  • Collect log, packet and net-flow data for 30 days, analyses and condense the report data into a data analysis and metric report in order to highlight and add context to suspected suspicious traffic patterns.
  • Present and discuss the findings in a meeting with the administrators and engineers of the monitored critical systems to assist in identifying the suspicious, anomalous traffic which may be used to develop additional UseCases. (Fringe benefit = Engage and seed relationships with infrastructure teams, especially those related to critical systems)
  • Investigate and consolidate threat Intel from perceived anomalous traffic and create custom use cases from this data along with perceived attack scenarios.

3) Hunt: Implement Hunting Development process.

  • i Hunters find new threats on the network and raise incidents for investigation.
  • ii Intelligence teams add context and if possible attribution to the detected threats.
  • iii Content Engineering teams create use cases from the newly acquired indicators.
  • Analysts respond to the alerts generated from the new Use Cases.
  • iv Intelligence teams add context and if possible attribution to the detected threats.
  • v Content Engineering teams tune use cases from analysis, attribution and context.
  • Analysts respond to the alerts generated from the tuned Use Cases.

4) Enhance: Review UseCase Library

Analyse reports number of times each UseCase has triggered alongside the appearance of indicators present in the logic of the UseCases. Determine if the UseCases are erroneous or no longer valid.

Submit report to the Content management team to repair erroneous UseCases and archive UseCases which are no longer useful or relevant to the SOC.

  • Removal of unnecessary defunct, UseCases will assist in keeping the UseCase library current and in line with the current threat landscape and also assist production appliance optimisation and good maintenance.
  • Respond: Optimize and Advance roles
  • i Expand Hunting and Attribution capabilities to include dark net operations.
  • ii Expand L2 analyst capabilities to include malware analysis and basic remote forensic collection and analysis of forensic images.
  • iii Expand L1 analyst capabilities to triage, analysis, response and closure of low priority incidents.
  • Enhance: Management reporting and Success factors

Conduct 6 monthly reviews to gage success, knowledge gaps and training requirements.

Run 6 monthly and annual reports highlighting costs saved as a direct or indirect result of breach prevention and breach disruption. Use this data to qualify funding in order to enhance and Advance the SOC via analyst training, appliance upgrades and user awareness events.

The above process is only one step towards the development of mitigation process for ICS environment. Organizations need to avoid siloes working compartment and not in my backyard mentality to develop a more robust holistic process. See RSA blog next week for framework analysis.

Suggested Reading

INDUSTRIAL CONTROL SYSTEMS (ICS) AMBIGUITY?
http://blogs.rsa.com/industrial-control-systems-blog/

About the authors:

azeem-aleemAzeem Aleem

Director  RSA Advanced Cyber Defence Practice  EMEA

An experienced information security executive with over 15 years of practitioner experience in cyber defence technologies, security operations, counter threat intelligence, data analytics and behavioural classification of cyber criminal.

As a subject matter expert, he has made frequent appearance on regional television and radio programmes as an expert on cyber threats. A published book author and academic criminologist, he has also authored several periodical on advanced security threats in peer-reviewed journals and security magazines. He is an eminent plenary conference guest speaker both at the national and international level.

garethGareth is a consultant for the Advanced Cyber Defense Services Practice – EMEA. In this capacity Gareth is responsible for professional services engagement for Global Incident response/Discovery (IR/D), breach readiness, remediation, SOC/CIRC redesign.

Gareth has over 10 years of experience in Information technology focusing on root cause analysis of infrastructure and cyber security related issues. This has led to a broad knowledge base of remediating problems and designing processes and procedures to assist in the prevention of issues arising in the future.

Gareth has studied various technologies and has a broad wealth of experience in application scripting, web design, malware analysis, big data correlation, data mining and windows / Linux technologies. This knowledge has been paramount in learning more about the current threats and tactics used by cyber criminals in the cyber security threat landscape.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SCADA, hacking)


facebook linkedin twitter

Hacking Havex ICS Panel Shock SCADA stuxnet zero-Day

you might also like

Pierluigi Paganini July 22, 2025
Cisco confirms active exploitation of ISE and ISE-PIC flaws
Read more
Pierluigi Paganini July 22, 2025
SharePoint under fire: new ToolShell attacks target enterprises
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Cisco confirms active exploitation of ISE and ISE-PIC flaws

    Hacking / July 22, 2025

    SharePoint under fire: new ToolShell attacks target enterprises

    Hacking / July 22, 2025

    CrushFTP zero-day actively exploited at least since July 18

    Hacking / July 22, 2025

    Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

    Security / July 22, 2025

    MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

    APT / July 21, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT