New Zealand’s top power, gas, broadband and phone company Trustpower has entered a partnership with San Francisco-based Nozomi Networks to roll out its Guardian solution to boost security and improve network visibility.
Previous security strategies the company had invested in, such as prevention and firewalls, proved unsuccessful in delivering the network visibility it needed to secure its systems from new malware attacks.
Nozomi Networks’ monitoring solution delivers industrial control system (ICS) visibility and security to fend off cyberattacks from compromising control networks and reduce operational disruptions. Following tests conducted in a lab environment, Guardian successfully captured live network traffic, devices connected to the network and how they interacted, the company said. The tests were rolled out for up to five times its node capacity.
Guardian has now been implemented across the entire operational network to deliver asset discovery, inventory and operational transparency, automatic real-time warnings of industrial events such as alerts generated by custom-designed rules and constraints, and traffic analysis for investigations. It has already detected a number of anomalies in the company’s third-party supplier network, anomalies ranked among top threats in enterprise security.
“As we continued to expand, digitize and add to our operational environment, this lack of visibility presented a major challenge,” said in a prepared statement Marty Rickard, Trustpower delivery manager — operational technology. “We needed a new approach to cut through the noise, gain real insights into our network and ensure we were protected from cyberattacks.”
Trustpower currently has over 230,000 customers and 700 staff across the country, with 30 hydro power stations operating in 19 hydroelectric power systems. Nozomi Networks won the contract in a bidding process.
“Cybersecurity, like cybercrime and the threat landscape, needs to continually evolve. New Zealand businesses need visibility into their networks and awareness of who has access, and to what extent, to ensure they are protected,” says Andrea Carcano, co-founder and Chief Product Officer at Nozomi Networks in a prepared statement. “Advanced OT-IoT visibility and security technology is essential to achieve this. Trustpower recognizes that and has now created a better operating environment for its business, customers and third-party suppliers.”
After a deep dive into the country’s main organizations’ cybersecurity resilience, New Zealand’s government department of Communications Security Bureau (GCSB) has released a set of guidelines for local companies to follow to boost cybersecurity strategies.
“Nozomi Networks has enabled us to meet New Zealand’s Voluntary Cyber Security Standards for Industrial Control Systems (VCSS-OCS),” said Matt van Deventer, Head of Technology at Trustpower in a prepared statement. “Maintaining and exceeding these standards is a key priority for Trustpower and Nozomi Networks enables us to comfortably achieve that.”
By implementing Nozomi Network’s monitoring solution, Trustpower has improved supply chain security and third-party relationships, the company says.
Ransomware with ICS-specific characteristics detected in the wild
Vendors such as Nozomi are addressing a growing problem. Industrial environments such as electric grids and dams are at major risk after a new ransomware strain with ICS-specific functions were detected in the wild, ArsTechnica reported. This is very sophisticated malware which not only encrypts data but meddles with control systems required by sensitive industrial systems to function properly.
Dubbed Ekans, it is an obfuscated ransomware variant detected mid-December 2019 by researchers at security firm Dragos. Ekans has some of the traditional features of a ransomware infection such as file encryption and ransom display, Dragos explained, but it has a number of added capabilities “to forcibly stop a number of processes, including multiple items related to ICS operations,” and destroys 64 processes associated with industrial control system operations (ICS), including interfaces from Honeywell, General Electric’ Proficy Historian, and GE Fanuc licensing servers.
“While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static “kill list” shows a level of intentionality previously absent from ransomware targeting the industrial space,” Dragos further stated. “ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.”
Ekans allegedly resembles MegaCortex ransomware, which was detected in August 2019, both targeting the same processes. However, Dragos believes Ekans is a “relatively primitive attack,” because it lacks the capability to proliferate across the network.
Dragos | IIoT | network | Nozomi Networks | ransomware | security | utilities