New Portal Launched For ICS/SCADA Threat Intelligence-Sharing Among Nations

The East-West Institute teamed up with the US ICS-ISAC to create a platform for critical infrastructure operators worldwide to share threat data.

In the aftermath of the unprecedented cyberattack that led to a blackout in Ukraine last December, members of the US ICS-CERT team flew to Kiev to get debriefed by their Ukrainian counterparts. It was both a crucial information-gathering trip and a reality-check for US critical infrastructure operators, according to US Department of Homeland Security officials, that such an attack could be pointed at power grids anywhere in the world.

The Ukraine power grid attack–although obviously targeted–“punctuated” the global nature of cyber threats in the ICS/SCADA community, says Chris Blask, chair of the ICS-ISAC, the US-based industrial control system/SCADA threat intelligence-sharing group.

Connecting power utilities and other critical infrastructure operators all over the world is the latest weapon in protecting these systems: a new portal launched this week by the ICS-ISAC and the nonprofit East West Institute (EWI) lets the critical infrastructure sector share and gather information from their counterparts in other nations.

The EWI Information Sharing Community portal is based on the Facebook At Work collaboration platform, and initially is being used for sharing threat information, best practices, lessons learned, and other information. It ultimately will be built out to share more sensitive threat intel including indicators of compromise such as malware markers or malicious IP addresses associated with an attack suffered by a power plant, for example.

“It’s [about] global situational awareness,” Blask says. “If something happens, you have a space where you an reach out and have people help … as opposed to Google [searches] and a phone call.”

Blask says while groups such as the ICS-ISAC are open to international members, it’s still a US-based entity, so the new portal backed by EWI provides a more global connection for ICS/SCADA operators and interests. “They are using this platform for building [online] groups and communities,” he says, and ultimately, it will be built out for real-time, machine-readable threat intel feeds via the STIX (Structured Threat Information Expression) and TAXII (Trusted Automation Exchange of Indicator Information) protocols, he says.

A few hundred users have signed up so far, and the portal includes public and private areas, much like other threat intel-sharing portals. Among the early adopters are law enforcement groups, ICS vendors and ICS operators, and research and academic institutions, from around the world.

“We started with the premise that we might have a better chance at securing critical  infrastructure individually if we looked at it globally,” says Tom Patterson, chair of a group on strengthening critical infrastructure resilience and preparedness that launched the initiative. “We got great response from all over the world … It encouraged us to create a global information exchange in a trusted forum. It’s a way for them to share information among themselves on threats and counter-measures.”

Patterson, who is vice president and global security leader for Unisys, says the EWI Information Sharing Community is not technically a global ISAC or ISAO for ICS/SCADA, but more of a place for public and private sector operators of critical infrastructure, different nations’ ISACs, and government agencies to collaborate.

Kenya’s ICT Secretary at its Ministry of Information Communication and Technology, in a statement said her nation plans to participate. “Kenya is taking an active role in addressing cybersecurity risks. We welcome this opportunity to share lessons learned with others in the global critical infrastructure community,” ICT secretary Katherine Getao said.

The ICS-ISAC has set up a registration page for the new portal.

Related Content:


Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights

Hackers Attack Major US Law Firms

Hackers broke into computer networks of prominent law firms, and the FBI is investigating whether the stolen data was used for illegal trading purposes, the WSJ reports.

Major US law firms including Cravath Swaine & Moore, and Weil Gotshal & Manges, and others suffered cyberattacks last year, but it is yet to be determined what information was breached or if it was for illegal insider trading purposes, a Wall Street Journal report says.

The Manhattan U.S. attorney’s office and FBI last year began an investigation into the attacks. Officials from Weil Gotshal have not yet commented on the incident, while Cravath said in a statement that the incident did not have a major impact on its systems. Weil Gotshal and Cravath both represent Wall Street banks and Fortune 500 companies in merger negiations and lawsuits, for instance.

eSentire’s threat intelligence feed Cymon shows nearly 50 different law firms being targeted in attacks, according to the security firm.

Security firm Flashpoint had issued alerts and notices to law firms in past few months to warn about possible outbreaks, as had the FBI. 

Read more about the cyberattack campaign against law firms in the Wall Street Journal report.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

GNOME privacy options give users even more desktop security


Image: Jack Wallen

Security has never been more important. Any time you open a file, you leave a trail behind. When you delete files, they remain in the trash until you manually purge them. Your computer can even use certain services to help websites and apps pin down your location. And your machine’s screen lock setup may not suit your needs. For anyone using a PC for business, these things can be crucial, as sensitive data comes in all forms.

More about IT Security

GNOME is helping you to improve security by wiping away that breadcrumb trail. Instead of having to manage these issues in various places such as display settings, file manager, and location settings, the developers of GNOME put these security-centric settings in one location: the GNOME Privacy tool.

What you can do with it

With the new GNOME Privacy tool (which has been refined in GNOME 3.18), you can configure the following by going to Settings | Privacy:

  • Screen Lock
  • Usage & History
  • Purge Trash & Temporary Files
  • Location Services

There is no need to install third-party software — it’s all there…ready to help.

SEE: Tech Pro Research’s Privacy Policy

How does it work?

1. Click into the Privacy section of Settings, and you’ll see a user-friendly window (Figure A).

2. Click on any entry, and configure it to your needs.

Figure A

Figure A

Figure A

Image: Jack Wallen

The GNOME Privacy tool is ready to go.

3. Open the Screen Lock section. This is where you can enable/disable the Automatic Screen Lock, determine the amount of time before the screen goes blank, and set whether notifications are displayed in the lock screen (Figure B). I highly recommend enabling the screen lock and disabling notifications. With notifications enabled, it could be possible that someone might spy sensitive information…even when your screen is locked.

Figure B

Figure B

Figure B

Image: Jack Wallen

The GNOME Privacy tool’s Screen Lock settings.

4. Click in the Usage & History section. This is where you can set up GNOME to either retain or not retain your file usage history. This is very important, especially to users that are seriously concerned about privacy. By default, Privacy will be set to retain history forever (Figure C). You can opt to retain file history for Forever, 1 Day, 7 Days, or 30 Days. If you opt to enable the retention of file history, I recommend setting it to the shortest number of days that you can work with.

Figure C

Figure c

Figure c

Image: Jack Wallen

Configuring privacy for file history.

5. Click the Purge Trash & Temporary Files section. This setting can automatically delete files from your trash when you forget to do so. By default, this is disabled (Figure D). I recommend enabling this setting, especially if the computer in question is used for work.

There are no options for the purging of trash. This means that, if enabled, when you delete a file, it is completely removed. If disabled, when you delete a file, it goes to the Trash folder until it is manually purged by right-clicking the Trash folder and clicking Empty Trash.

Figure D

Figure D

Figure D

Image: Jack Wallen
Setting up how GNOME purges your trash.

Another setting in this section is how temporary files are managed. You can enable the automatic purging of temporary files. In some cases, these temporary files can increase the performance of an application by caching data. When you purge these temp files, the application(s) will have to, once again, cache the data. Those temporary files can (in certain cases) be considered security risks. I recommend enabling the purging of temporary files and setting the frequency to the fewest number of days you can work with.

Finally, you can enable/disable the Location Services. With this enabled, applications (especially websites) can track your location. If this is a point of contention for you, make sure it is disabled. By default, Location Services is turned off.

Usage of the privacy tool may vary

If it’s a business laptop, you’ll want to take the time to carefully set up GNOME Privacy to prevent others from gaining access to sensitive data. If it’s a home computer, you should still considering going through the settings, as there will still be sensitive data retained on the machine.

Have the developers of GNOME gone far enough with security, or does the desktop need more? Share your thoughts in the comments.

Also see

Machine Learning In Security: Seeing the Nth Dimension in Signatures

How adding “supervised” machine learning to the development of n-dimensional signature engines is moving the detection odds back to the defender.

Second in a series of two articles about the history of signature-based detections and how the methodology has evolved to identify different types of cybersecurity threats.

Many security vendors are now applying increasingly sophisticated machine learning elements into their cloud-based analysis and classification systems, and into their products. All of these techniques have already proven their value in Internet search, targeted advertising and social networking business arenas.

For example, supervised learning models lie at the heart of ensuring that the best and most applicable results are returned when searching for the phrase “never going to give you up.”

This is why signatures are still so important – not as a replacement, but as a companion. They represent   the application of unsupervised machine learning to threat detection and classification. In other words, what the current generation of unsupervised machine learning brings to security is the ability to detect threats that are anomalies or unclassified events and behaviors. An n-dimensional signature unsupervised model improves on human-derived signature detection models, such as the one, two and multi-dimensional signature detection models discussed in my earlier article.

 N-dimensional Signatures

Multidimensional signatures and the security products that use them rely heavily on human researchers and analysts to observe and classify each behavior for efficacy.

If a threat exhibits a new malicious behavior (or a false positive behavior has been identified in the field), the analyst must manually create or edit a new signature element and its classification, and include it as an update. The assumption is that humans will be the most relevant elements of a threat and can label them.

The application of machine learning to the problem largely removes humans and their biases to the development of an n-dimensional signature (or often called a “classification model”).

Instead of manually trying to figure out and label all the good, bad, and suspicious behaviors, a machine is fed a bunch of “known bad” and “known good” samples, which could be binary files, network traffic, or even photographs. 

It then takes and compares all the observable behaviors of the collected samples, automatically determines which behaviors were more prevalent or less prevalent to each class of samples, calculates a weighting factor for each behavior, and combines all that intelligence in to a single model of n-dimensions – where n is a variable size based upon the type and number of samples and behaviors the machine used. 

Enter ‘Supervised Learning’

Different sample volumes and differing samples supplied over time will often affect n. In machine learning terminology, this process is called “supervised learning.” 

Historically, there existed a class of threat detection referred to as “Anomaly Detection Systems” (ADS) that effectively operated on the premise of baselining a network or host activity. In the case of network ADS (i.e. NADS), the approach would entail constructing a map of network devices, identifying who talks to who over what ports and protocols, how often, and in what kind of volume.

Once that baseline is established (typically over a month), any new chatter that was an anomaly to that model (e.g. a new host added to the network) generated an alert – subject to certain thresholds being defined. Obviously that approach generated incredibly high volumes of alerts and detection was governed by those threshold settings. As a technology, ADS represented a failed branch of the threat detection evolutionary tree.

Without getting into the math, unsupervised machine learning has allowed security vendors to revisit the ADS path and detection objectives – and overcome most of the alerting and threshold problems. The detection models and engines that use unsupervised machine learning still require an element of baselining, but continually learn and reassess that baseline on an hourly or daily basis. 

As such, these new detection systems are capable of identifying attack vectors such as “low-and-slow” data exfiltration, lateral movement, and staging servers. These threats are difficult or cumbersome to detect using signature systems.

It is inevitable that machine learning approaches will play an increasingly important role in future generations of threat detection technology. Just as their use has been critical to the advancement of Internet search and social media applications, their application to information security will be just as great. 

Signature-based threat detection systems have been evolving for more than two decades, and the application of supervised machine learning to the development of n-dimensional signature engines over the last couple of years is already moving the detection odds back to the defender. When combined with the newest generation of unsupervised machine learning systems, we can expect that needle to shift more rapidly in the defender’s favor.

Return to part 1: Machine Learning In Security: Good & Bad News About Signatures

Related Content: 

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Gunter Ollmann is chief security officer at Vectra. He has nearly 30 years of information security experience in an array of cyber security consulting and research roles. Before joining Vectra, Günter was CTO of Domain Services at NCC Group, where he drove strategy … View Full Bio

More Insights

Security experts: what’s wrong with Internet of Things security, and how to fix it


A map of connected devices. | Image: Thingful

Every object you interact with on a daily basis will soon be networked, collecting data, and easily hacked. Internet of Things security is already so bad that simple search engines have indexed and provided detailed information about millions of connected devices around the world, ranging from common wearable devices to home climate systems to public security cameras.

The IoT will power countless new businesses and enrich the lives of consumers. But as 20 billion devices power up over the next decade, the security risks for IoT will be as great as the rewards. “The emotional reaction of security professionals when looking at IoT is to throw up one’s hands, decry how everything is always broken forever, and we’re doomed,” said Tod Beardsley, Rapid7‘s Senior Security Research Manager. “To be sure, there are serious, systemic problems in the IoT space. These problems are real and difficult, but not insurmountable.”

SEE: Three ways encryption can safeguard your cloud files (Tech Pro Research story)

While the Internet of Things is young, the landscape is already populated by millions of connected, data-chirping devices. Two search engines, Shodan and Thingful, were recent subjects of an internet kerfuffle when the services were used to shoot footage inside homes and other private locations.

ZDNet reported:

Shodan is a voyeur’s dream. A quick scan either through paid or free membership using terms such as port:554 has_screenshot:true reveals cameras installed in places ranging from car parks in Japan to bars in France, private lounges in Korea to rabbit cages in Germany.

The massive scale of IoT is a boon and a curse. Beardsley explained that a lack of ability on the part of vendors to produce interoperable secure firmware, web, and mobile applications that encompasses the breadth of IoT presents a number of vulnerabilities. “Consumers are unable to accurately and confidently assess the security of the devices and gadgets they already have in their home,” he said. “These are all pretty massive challenges.”

More about IT Security

Beardsley is particularly concerned that IoT attacks could be completely invisible, since most IoT products don’t have strong security or logging controls. “If I’ve compromised your IoT device, you likely won’t even notice,” he said.

Timothy Sparapani, Founder of SPQR Strategies and former Director of Public Policy at Facebook, agrees. “The state of IoT security is very poor. We are learning that most IoT systems are essentially insecure,” he said.

Sparapani explained that little has been done to secure IoT systems because IoT devices were seen as a lower priority by manufacturers and security professionals alike. The focus of data security has been on shutting down attacks that could cause consumers direct harm through loss of personal information, like banking accounts and medical information.

“The greatest vulnerability for both businesses and consumers is that we have not yet developed a [standard] for shipping patches for security vulnerabilities remotely,” Sparapani said.

READ: Cyber defense: Trends, strategies, and best practices (Tech Pro Research story)

In the near future IoT fragmentation will span industries. “We will increasingly rely on sensors on our devices, in our transportation systems, our food production and delivery systems, in our factories, on our farms, and in our homes,” Sparapani said. “If those IoT systems are corrupted by hackers, the amount of chaos could be immense. When we turn over devices to IoT monitoring there will be very few people who have the skills to fix the device in question when it is hacked, and even fewer who are proximate to the devices to physically override their programming.”

Both Sparapani and Beardsley agree that the more business and consumers understand about the IoT security environment, the easier it is to stay safe while enjoying the benefits of a connected world.

What does a strong IoT security model look like?


A strong, mature IoT security profile is really just the basic level security that we enjoy on our traditional platforms: routine, automatic updates to software to patch against shipping vulnerabilities.

As a rule, IoT devices ship without any patch pipeline in place, so if we come across an IoT device that actually does support automatic patching, then I’m pretty happy that I’m dealing with a vendor that has at least thought that part through.

[Business] should base [IoT] decisions in part on security. Do a little bit of legwork on the company you’re considering buying from by checking to see if there have been vulnerabilities published, and fixed, in the past. A company that welcomes, rather than spurns, vulnerability reports, is a company I would much rather support with my buying decisions.

Weak and absent passwords are both common on the internet, and specifically a problem with IoT. Poorly designed IoT devices also lack encrypted communications, which opens up a couple of major issues. One, sensitive personal information is transmitted in the clear, for anyone on the local network and upstream network to eavesdrop on. And two, IoT devices cannot be sure they’re communicating with the real and correct vendor-supplied web applications or mobile apps. Encryption isn’t just about keeping secrets, it’s also about authentication, so an IoT device that operates in cleartext, rather than over encrypted channels, is inherently untrustworthy.


It starts with recognizing that IoT security must be a priority, and that security features must be built into IoT devices by default. The next evolution will be when we build a system to ship code patches to close vulnerabilities and resolve attacks remotely at scale to deployed devices.

What does IoT security look like today, and what does it look like in 2020?


I’m hopeful that we’ll get ahead of the encryption and default/weak/missing password problems, and have normalized patch distribution solutions. With those fundamental elements in place, we’ll be in a good position to ensure that the IoT space stays safe and secure.


In four years we will have seen the breach of IoT systems by hackers, both playful, and those bent on sowing chaos and destruction. We’ll have awakened to the risks of insecure devices, and we’ll be playing catch up.

The benefits of IoT for individuals and for society will be well demonstrated and we’ll be trying to retrofit old devices with new security protocols. If we are lucky, we will have some standardized systems to patch known security vulnerabilities remotely.

READ: IoT and wearables thriving in the enterprise (Tech Pro Research story)

The problems are real and difficult, but not insurmountable, Beardsley said. “Security professionals still have time to get ahead of the coming IoT tsunami. We have expertise on how to engineer better security, how to fix and maintain rapid patch development and deployment, and how to educate both consumers and regulators. We have plenty of work ahead of us, but I’m optimistic we will be able to get a handle on these issues before it’s too late.”

Read more