Far away, but still on site: security testing with distance
An attacker in your own network: Many companies had to go through this worst-case scenario. With Limes Security, companies have a strong partner who identifies and points out these dangers and is now even more flexible. With a new system, Limes offers the possibility of being virtually on site at the customer’s premises. This saves costs and time, and these days, helps to protect employees. The effort on the part of the customer is minimal, while at the same time a wide range of test types can be covered.
For Limes Security, personal customer contact is particularly important, especially for security assessments such as penetration tests. These are preferably carried out by experts on site at the customer’s premises, thus ensuring, among other things, that the customer’s individual needs can be met. Due to situation, one must deal with obstacles such as travel restrictions or internal company regulations on social distancing, but also for the protection of employees, on-site penetration tests are not always feasible at present. On top there’s economic and practical reasons, that often speak against being physically at the customers premises.
The demand for security testing naturally continues. Nevertheless, systems and components must still be tested for their security, whether due to internal specifications, legal or contractual obligations.
To meet these requirements and still offer the best possible protection for customers, Limes Security has developed a system that creates the possibility of security assessments without making the component to be tested accessible via public Internet or VPN access.
The advantages of the new solution in short:
- Cost-efficient: No more travel time and expenses
- Flexible: travel restrictions are no obstacle
- Ready for use in no time: the system can be replicated and only needs to be sent by mail
- Minimal configuration effort: customers only need to activate an outgoing connection in the firewall
- Secure communication: using proven technologies and encryption mechanisms, a secure tunnel to a Limes Security Server is established
How does it work?
Core of the system is a powerful Mini-PC, which is sent to the customer by mail. To exclude manipulation from outside, the operating system is encrypted. In addition, it is configured so that it connects to a server under the control of Limes Security via a secure connection without exception. Further access is also provided via this server. This way, customers only need to release an outgoing connection to this server. Only Limes employees who are entrusted with the project have access to the server. This ensures that the need-to-know authorization principle is observed.
Virtual machines are stored on the system for the various test cases, each of which is exclusively assigned a network interface. This, in turn, makes it possible to avoid dual-homed systems. The interface can thus be connected to the test-relevant network segment without creating a bridge between the network segments and opening up potential security gaps.
In order to meet all customer needs, the various use cases and also setups, Limes Security also offers the option of providing a virtual version of the system for download.
Naturally, Limes Security still attach great importance to customer contact. Projects of this type are accompanied by constant communication with the customer. Test scenarios and activities are discussed in advance, and project participants are kept informed about each phase.
The system can, of course, be duplicated, but the experts at Limes, who supervise the projects and perform the tests, cannot. Therefore, please contact us promptly to protect your system from any security gaps.
Do you have any questions on this topic? We are happy to help!
Ein Security Deshi auf Reisen [DE]
Eine Geschichte aus dem Leben eines Praktikanten
Im Zuge meines Studiums, „Sichere Informationssysteme“ habe ich ein verpflichtendes Berufspraktikum absolviert. Die Auswahl eines Praktikumsgebers stellt Studenten, die in kürzester Zeit so viele unterschiedliche Bereiche einer Sparte kennenlernen, vor die Frage: „Was will ich eigentlich wirklich machen?“
Hier hat sich Limes Security durch ihren Facettenreichtum als Eldorado für angehende Security Experten entpuppt. Während meines Praktikums wurde ich in die unterschiedlichsten Projekte eingebunden und konnte schnell herausfinden wo meine Stärken sowie Schwächen liegen. Vor allem konnte ich dadurch feststellen, dass es genau diese Abwechslung von Projekten ist, die unseren Job so spannend macht. Seien es nun die internen Projekte, welche man privat zum Teil sogar als Spielereien bezeichnen würde, umfangreiche Risk-Assessments, welche Management und Technik vereinen oder Penetrationtests bei Kunden vor Ort, in Umgebung von denen Security Experten oft nur träumen können.
Mein persönliches Highlight war die Möglichkeit an einer Studie der De Montfort University im Bereich „Agile Incident Response for Industrial Control Systems“ (AIR4ICS) teilzunehmen. Für mich war das eine Dienstreise, welche einerseits eine steile Lernkurve im Bereich Red/Blue-Teaming mit sich brachte, mir andererseits aber auch zeigte, wie viel Wert daraufgelegt wird, einem Studenten ein spannendes Praktikum zu ermöglichen.
Ein spannendes Arbeitsumfeld allein macht noch kein gutes Praktikum oder einen großartigen Arbeitsplatz aus. Für mich persönlich spielt der Umgang mit den KollegInnen eine große Rolle dabei, wie gerne ich zur Arbeit gehe und meine alltäglichen Aufgaben anpacke. Auch hier wurde ich in keiner Weise enttäuscht. Von Tag eins an wurde ich als fixer Bestandteil des Teams betrachtet und behandelt, als würde man sich schon ewig kennen. Um noch einmal auf die persönlichen Stärken und Schwächen zurückzukommen: gerade hier zeigt sich wie das Miteinander funktionieren kann. Schon nach kürzester Zeit wurde ich nach meiner Expertise zu Projekten und allfälligen Security-Themen, welche uns intern beschäftigten, gefragt. Auf der anderen Seite konnte ich mich jeder Zeit darauf verlassen, dass mir bei Thematiken, wo mir der Background fehlte oder mein Skillset noch nicht ausreichend geschärft war, geholfen wurde.
Seit meinem ersten Arbeitstag sind nun schon über ein Jahr vergangen und rückblickend kann ich nur sagen, dass ich froh darüber bin meine Angst gegenüber dem ersten Job im Bereich IT/OT-Security überwunden und mich der Herausforderung gestellt zu habe, meine Fähigkeiten in einem zu diesem Zeitpunkt noch kleineren Unternehmen, wo die Arbeit eines jeden Einzelnen zu Erfolg und Misserfolg beiträgt, unter Beweis zu stellen.
Zum Abschluss bleiben mir nur zwei Dinge, die ich sagen möchte:
(1) Ein großes Dankeschön an Peter und Thomas, welche mir dieses Praktikum und die tollen Erfahrungen ermöglicht haben und
(2) an alle die überlegen sich bei uns zu bewerben: Go for it – Operational Technology ist kein Hexenwerk!
Procurement of secure plant components with IEC 62443
Secure OT operation starts already with procurement, we’re therefore looking into the relevance of procurement of secure industrial components with IEC62443 in this post. From the asset owner’s point of view, the IEC 62443-4 part is particularly important for the procurement process. This part addresses component manufacturers and the security capabilities of components. This includes on the one hand requirements for a secure development process (62443-4-1), as well as requirements on the technical security properties of industrial components (62443-4-2).
This article is intended to give a brief insight into the usage of 62443-4-2 and the definition of requirements based on the standard.
Overview of IEC 62443-4-2
Generally, the 4-2 standard is aimed at all industrial components, which are divided into four device categories:
- Embedded devices (e.g. PLC, sensors, DCS)
- Host devices (e.g. PC, workstation)
- Network devices (e.g. industrial routers / switches)
- Software applications (e.g. configuration software, historian software)
Requirements are divided into foundational requirements (FR), which define general component requirements (CR), as well as specific requirements for each device type (e.g. network device requirements).
Definition of requirements for the plant design
For this purpose, a risk analysis according to the process model of IEC 62443-3-2 should be performed, and based on the identified risks, a system design should be created. In order to mitigate the identified risks, the necessary requirements for the components can be derived. This set of requirements can be specifically defined using a selection of requirements (CR).
Based on the criticality and specific protection needs (e.g. legislation), the so-called security level (SL 1-4) should be defined for each component and the requirements adjusted accordingly. This list of requirements forms the basis for the procurement of components. Mature component vendors who align their products along with 62443-4 provide the requirements and security levels (SL-C) that can be achieved by their products. Of course, there will be cases in which different requirements cannot be met by a specific component – in this case, compensating measures should be planned and implemented to ensure the protection of the component and the system. The selection of components corresponding to the desired security level however forms already the basis for secure plant operation.
In the industrial environment, the IEC 62443-4 part is becoming more and more established, with numerous product certifications, including well-established vendors like Siemens, Phoenix Contact, Rockwell and Cisco.
Limes Security is specialized in the field of IEC 62443 standards and is happy to support you with achieving your desired security level through professional consulting.
A big THANKS to all critical infrastructure people
During a pandemic crisis it becomes visible that our modern society heavily depends on different types of critical infrastructures that are supplying essential services enabling our comfortable lives. These critical infrastructures include, among others:
Energy supply such as electricity-grids, oil-, gas- and heat-grids, refineries, fresh water supply and waste-water treatment facilities, public transport, airports, payment systems, mobile communications and Internet services, justice systems including prisons and courts, agriculture, food, hygiene-goods supply and health care.
The most recent bottlenecks may well be visible in the health care-, food- and hygiene-sectors at this time. However, the people working in these areas do a tremendous job keeping their services alive, contributing to the continuous safety of us.
Major failures in any of these infrastructures could lead to cascading effects, yet all providers of essential services demonstrate awareness regarding the importance of their work and the stability they are required to provide. Many of them quarantined themselves at work, to escape infections, ensuring continuous operation of their essential service.
Just for example, imagine the impact of unavailable electricity, a service we generally take for granted. It would impact all electronics (e.g., Internet modem, TV, smartphone, hairdryer, etc.), water pumps in most regions, cooking, cellphone towers, payment systems that are not based on cash, pumps at most gas stations, and a myriad of other devices, services and systems.
We, as a society, should consider building up capacities for a minimum supply of all essential goods that are needed to operate these critical infrastructures. At the very least, we should keep minimal production capabilities for essential services nearby to reduce dependency on global supply lines. Our critical infrastructures should not depend on external support as much as they currently do. A good example can be seen in the shortages of facemasks, disinfectant and gloves. Our nurses and doctors work tirelessly in numerous situations, endangering themselves, to care for sick people.
Especially in dire times, the people working in these jobs deserve our gratitude and support. Kudos to the brave women and men working around the clock keeping our critical infrastructures operational. You literally keep the cornerstones of modern society alive.
An agent named Drozer
How Drozer can collect data from your installed apps
In recent years, the use of mobile devices such as smartphones and tablets has increased dramatically. Apps have become a fixed part of our everyday life. Unfortunately, it is often overlooked that these apps require the same IT security as traditional desktop applications or websites.
A mistake that often occurs during development is that security features are implemented in the app but are not checked on the server afterwards. An app always runs on a user’s end device and hackers can attack the app directly. This results in many attack surfaces. The communication between the app and the server could be interrupted. But also, internal data of the app can be extracted from the mobile device and harmful modifications can be made. Exported interfaces can also be opened if they do not have enough protective measures.
Drozer on a mission to collect data
A well-known tool for testing and exploiting vulnerabilities on Android devices is Drozer. If the Drozer agent is installed on a smartphone, an attacker can connect to it and siphon off information about the device. Drozer can impersonate a native Android application, communicate with the Dalvik virtual machine responsible for running apps on Android or collect information about the operating system. Additionally, it allows to retrieve information about installed apps, for example from the manifest.xml file. The tool can not only collect data, but also start activities itself – of particular interest are exposed interfaces such as activities, broadcast receivers, content providers and services. If no sufficient access rights were set for the mentioned interfaces, Drozer can use them to read internal application data.
The average consumer will not voluntarily install Drozer on his smartphone, but it is usually not necessary. Drozer can be delivered as part of a fake app, in order to install itself unnoticed on the device, in addition it does not even need root rights for its functionality. Therefore, apps should only be obtained from trusted sources such as the Play Store or, for iPhones, from the AppStore.
If you develop apps yourself and are not sure how much information a Drozer agent can steal from your application, Limes offers security penetration tests. Our experts not only test the attack surface between server and app, but also other critical components within apps.
Save the date: Webinar “How much Cybersecurity is necessary for an Industrial Company?”
New TÜV personal certification for OT Security
Limes Security has been successfully offering trainings in the field of Industrial / OT Security since 2012. Since then, many industrial customers have come to appreciate the quality of these trainings, but there has also been a growing interest and need for personal certification, which visibly enhances the qualifications of industrial personnel in the area of security.
Limes Security has therefore developed a personal certification scheme and will be offering this as of March 2020 in cooperation with TÜV Austria (https://www.tuv-akademie.at/) as a particularly qualified partner in the area of personal certification. This is a milestone in the area of personal certification for industry with a focus on security. The high-quality and practical OT Security training courses of the Limes Security Academy – from practitioners to managers – are divided into three modules and last 2.5 days per module. Afterwards, you can immediately take the exam, which is approved by TÜV Austria (duration approx. 2 hours).
“We are pleased to be able to meet the needs of our customers in an increasingly digitalized industry even better with the OT Security personal certification scheme,” says Kerstin Reisinger, director of the Limes Academy.
The trainings in detail:
ICS.201 Industrial Security Foundation
Training & examination for Certified OT Security Practitioner TÜV® (COSP)
ICS.211 Technical OT Security
Training & examination as Certified OT Security Technical Expert TÜV® (COSTE)
ICS.212 OT Security Management
Training & examination for Certified OT Security Manager TÜV® (COSM)
Validity of the certificates: 3 years, a re-certification is possible afterwards
For whom does the certification of persons represent an additional value?
This certification is perfectly suited for employees from the industrial sector who want to visibly improve their qualifications in the field of security and also want to provide proof of their knowledge in this area. The certification is therefore aimed at
- Companies from the following sectors: industrial component manufacturers, manufacturing industry, mechanical engineers, system integrators, plant operators, energy suppliers, operators of critical infrastructure
- Persons in the function: maintenance, production technicians, plant planners and plant engineers, persons responsible for plant IT, future operations managers and production managers
Due to changed regulatory requirements and industrial security standards (keyword NIS law, IEC62443), it is becoming increasingly important for industrial component manufacturers, system integrators and plant operators to be able to provide evidence of qualified personnel. The OT Security personal certification scheme provides significant help in this context.
Which requirements are necessary?
For the ICS.201 Foundation Training no specific previous knowledge of the participants is necessary
For the ICS.211 or Technical Expert the Foundation Training (ICS.201) or 3 years of experience as a substitute is required
For the ICS.212 OT Security Management Training the Foundation Training (ICS.201) or the Technical OT Security Training (ICS.211) is required
Certification at the end of the course is not mandatory. The course can also be completed without certification for the mere gain of knowledge.
You can find information about the individual course contents in our #List of courses
Limes Security will be part of the “Cyber Corner” at Medico Bazar at DTU in Lyngby near Copenhagen on 12 March
“Medico Bazar” is the largest networking event by the Danish innovation network “Danish Healthtech” that caters to companies, healthcare professionals, researchers, students, advisors, investors and industry and interest organizations and is held yearly at the Technical University of Denmark in Kongens Lyngby near Copenhagen. This year, Limes Security joins other cybersecurity specialists at the “Cyber Corner” by invitation of the newly founded “Danish Hub for Cyber Security” to introduce the topic of cybersecurity to the participants of the event.
Our presence at the event is particularly aimed at medical device manufacturers who are constantly faced with the challenge of developing cybersecure products to ensure that patients’ lives are not potentially endangered by cyber attacks. At the Chaos Communication Camp 2019, our colleague Tobias Zillner has already presented the challenges and the effects of a lack of cybersecurity: https://media.ccc.de/v/Camp2019-10288-500_000_recalled_pacemakers_2_billion_stock_value_loss
If you work in the healthcare sector and the topic of cybersecurity is near and dear to your heart (possibly quite literally), visit us in the Cyber Corner of the Medico Bazar at the DTU in Lyngby or contact us by email at email@example.com
Limes Security offers customized consulting services based on the international standard IEC 62443-4-1, as well as training on the topic of secure software and secure product development. Contact us today!
Danish Healthtech: https://danishhealthtech.dk/en
Hub for Cybersecurity: https://www.cyberhub.dk/
Brand new: The Limes Academy list of courses 2020/21
Digitalisation is on the rise and industrial security is becoming a key factor for companies. It is therefore essential to build and deepen the necessary security knowledge. With the new training program, Limes Security makes it easy for you to find your way into the most important security topics.
In the three areas
- Security awareness
- OT Security and
- Security engineering
you will find offers for training to build up security self-competence and the most important security basics, further in-depth knowledge for decision makers and technicians, industry-specific special topics, as well as knowledge and insight for the secure development of products and software.
However, the training program of the Limes Academy has not only been expanded in terms of content. Two innovations also represent an enhancement of our range of services:
Security awareness training courses as e-learning
Limes Security provides its IT and OT security awareness basic trainings now in form of e-learning modules, so that your employees can comfortably conduct the training in the office at a time that suits them best. More information under #Security Awareness E-Learning
Certification for selected courses in the OT security area with our accredited certification partner
The foundation and advanced level courses of the OT security training area can soon be booked with an additional certification option. This means that at the end of the training an official certification can be obtained from our certification partner.
The comprehensive course program is now available for download:
If you are already convinced that such a course is exactly the right thing –
You can book it online #here
Germany, Switzerland and the Netherlands are the fastest to secure their vulnerable Citrix systems
Since 11.01.2020, Alpha Strike Labs of Limes Security GmbH has been performing scans for vulnerable Citrix systems with the vulnerability CVE-2019-19781, which according to current media reports and Twitter comments is already being actively exploited. For scan acquisition, they use the DCS scan network with over 1000 different search nodes , which was presented at CCCamp 2019.
A chronological analysis shows that Germany, Switzerland and the Netherlands patched about 85-90% of the Citrix servers that were originally vulnerable on January 21, 2020. Other countries such as China, France and the USA, on the other hand, only achieve a patch rate of 24-56%. On 11.01. there were 49,492 vulnerable Cirtix servers worldwide and on 21.01. there were still 18,620 vulnerable systems.
In Germany, about 24 hours after the Citrix patch was made available, “only” about 800 and in Austria 137 Citrix servers freely accessible from the Internet were affected by the vulnerability.
While 171 clinics and hospitals were still affected at the first scan time in Germany, Austria and Switzerland (DACH region) on 11.01.2020. About 5 days later there were only 31 Citrix instances and another 5 days later only 6 vulnerable systems. However, more than 140 energy suppliers such as public utilities were also affected at the first scan time. At the current point in time (21.01.2020), there are still 21 utilities that have a vulnerable Citrix service.
The public sector, which includes above all the state and federal authorities, also poses a major problem. Here 212 servers were affected on 11.01. and currently only 21 servers were affected. If one takes into account that the first scan was carried out about 3 weeks after the vulnerability became known in mid-December, this shows that the public administration in the DACH region also has some catching up to do in the area of patch or security management.
Searching for traces
However, the analyses show large differences between countries in terms of patch time. It is very difficult to investigate the causes of this. However, if you look at the countries with Google search queries for the Citrix vulnerability with CVE number “cve-2019-19781”, you can immediately see that the countries with the highest patch level of 90%, Switzerland and the Netherlands, are also the countries with the most search queries for this vulnerability.
Furthermore, it can quickly be seen that from 13.01.2020 onwards, the interest of Google users in the vulnerability has increased significantly. At the same time, the scan data shows that after 13.01.20, the protection of the systems has also increased considerably. This is certainly also connected with the increased media coverage.
It is a good sign that many systems no longer have this vulnerability, but it is also frightening how long it takes to apply the patch or hotfix to the operators of these systems worldwide. The Limes Security team offers more information about this case and how to react quickly – contact us!