ics   1174

« earlier    

Acquisition Forecast | Acquisition Planning Forecast System
APFS Number
F2018041867 NAICS Code
541512 Component
Immigration and Customs Enforcement Sub-component
Enforcement and Removal Operations
Contract Vehicle
DWAC/EAGLE II Dollar Range
$20,000,000 to $50,000,000 Small Business Program
None Contract Status
New Requirement
Estimated Release
July 20, 2018 Anticipated Award Quarter
Q4 2018
POC Name
Diane Devendorf POC Phone
202-732-3411 POC Email
This project will develop a self-service kiosk system, the Compliance Assistance Reporting Terminal (CART), to automate the check-in process for aliens with reporting requirements on the non-detained docket. Because of the routine and repetitive nature of non-detained docket reporting, much of the process can be automated, freeing up ICE resources for higher-risk cases and enforcement priorities. Low-risk populations with a history of compliance with immigration proceedings are envisioned as the initial population for CART. The CART business process will account for many of the steps identified in the current non-detained reporting process, including the following functionality: • Capturing and submitting fingerprints to validate the alien’s identity (which is an enhancement over the visual verification used by officers today) • Utilizing existing system data to conduct a search for any recent criminal history activity (criminal encounters, wants/warrants and disposition of previous criminal encounters); • Permitting the alien to input new data (e.g., change of address, phone number or job status; request to speak to officer) into the system; and • Informing the alien of a subsequent check-in date, or prompting the alien to report to appropriate ICE staff for immediate follow-up actions • Populating relevant data and outcomes to ICE case management system The proposed system will consist of a touchscreen display, fingerprint scanner, camera, and printer integrated into a standing ATM-style kiosk. The software will be 508-compliant and will support multiple languages. The kiosk system will require integration with existing federal IT systems and databases including Enforce Integrated Database (EID) and ENFORCE Alien Removal Module (EARM) for case information; Interstate Identification Index (III)/Next Generation Identification (NGI) for up-to-date criminal history; NCIC for wants/warrants check; and Automated Biometric Identification System (IDENT) for fingerprint verification, using existing services. With the exception of fingerprint verification and reporting capabilities, all steps in the process are already performed by a Deportation Officer during in-person reporting sessions. No additional systems are queried, no additional information is collected from the subject or queried systems, and no additional populations are involved.
9 weeks ago by dan.p.taylor
Virtual Session: The 5 Most Dangerous New Attack Techniques, and What's Coming Next - YouTube
ICS Opportunistic (general malware that got into control networks)
- Conflicker, Petya/Notpetya, BlackEnergy3
ICS Themed (malware to get ICS access, targeting control engineers)
- Dragonfly 2.0
ICS Tailored-Access (ICS exploits and capabilities on control systems)
- BlackEnergy2, Havex Dragonfly 1.0
ICS Tailored-Effects (interact with ICS to cause damage and destruction)
- Stuxnet, Crashoverride
ics  coinjacking  cybersecurity  rsa 
10 weeks ago by bwiese
CORRECTING and REPLACING Accenture and Ponemon Institute Report: Cyber Crime Drains $11.7 Million Per Business Annually, Up 62 Percent in Five Years | Business Wire
On average, a company suffers 130 breaches per year, a 27.4 percent increase over 2016 and almost double what it was five years ago. Breaches are defined as core network or enterprise system infiltrations.
Companies in the financial services and energy sectors are the worst hit, with an average annual cost of $18.28 million and $17.20 million respectively.
cybersecurity  reference  ics  costs 
10 weeks ago by bwiese
Hacker's Playbook Updated with Methods for US-CERT Alert TA18 074A
Newly added playbook methods related to TA18-074A

Playbook #1496 - Transfer of attack tools

Network Controls - Are security controls in place to prevent the download and transfer of the infiltration, filedropper, and malicious network traffic interception tools used in this attack?
Playbook #1498 - Local installation of attack tools

Endpoint Controls - Are security controls in place to prevent the local deployment of the various tools and malware used in this attack?
Existing playbook methods already validating security related to TA18-074A

Playbook #242 - SMB communications

Network Controls - Are security controls in place to prevent credential theft over SMB?
Playbook #1269 - Windows scheduled task creation

Endpoint Controls - Is endpoint hardening sufficient to prevent remote scheduling of Windows tasks for malicious actions?
Playbook #1342 - PowerShell - get periodic screenshot and zip

Endpoint Controls - Is endpoint hardening sufficient to prevent remote PowerShell execution, as well as the ability to take and send screenshots?
soc  playbook  workflow  ics  cybersecurity 
10 weeks ago by bwiese
SANS Industrial Control Systems Security Blog | Triton/TriSIS - In Search of its Twin | SANS Institute
This leads me to ask, where is Triton/TRISIS' DCS-focused twin? It is possible that the targeted facility was merely a test and development environment for Triton/TRISIS or it was an environment to test additional malware to include the twin (did the facility look beyond the SIS?). I believe the ICS community should be on watch for a sister capability that takes control of a DCS to drive a process into unsafe conditions. The combination of Triton/TRISIS and Capability-X would allow an attacker to drive a process into a hazardous state and achieve effects that range from equipment damage to release of materials/chemicals used in the process
ics  cybersecurity  trisis  scada  sans 
10 weeks ago by bwiese
Trisis has the security world spooked, stumped and searching for answers
Unbeknownst to Dragos, Schneider had also been in contact with DHS, providing the agency with insight into the malware. Once DHS saw the evidence, officials connected Schneider with the Fulton, Maryland-based startup in order to gain a more complete picture of the case — which allowed for further analysis and a private warning to partners.

The Office of the Director of National Intelligence (ODNI) and NSA declined to comment for this story.

malware  ics  cybersecurity  dhs  dragos  trisis 
10 weeks ago by bwiese
Dragos Blog - Threat Analytics and Activity Groups
Transitioning from atomic, fleeting, and backward-looking IOCs as the foundation of security response and visibility is vital in transitioning network defense – not just ICS defense – into a more responsive, flexible, and active position. By identifying threat behaviors and designing behavioral analytics to capture these, analysts can begin shifting detection and response solidly to the defender’s advantage, while further refinement to track specific activity groups through instantiations of more general analytics can increase accuracy, confidence, and efficacy in specific response instances.
cyberthreatintel  cybersecurity  dragos  ics  analytics  threathunting  ueba 
10 weeks ago by bwiese
Cylance’s ‘Operation Cleaver’ Report Exposes Coordinated Cyber Attacks on Global Critical Infrastructure by Iran-Based Hackers
“Operation Cleaver” because the Cleaver name was included several times in the custom software used in the cyber hacks – covers more than two years of attacks by individual contractors and a hacking team fronting as a construction engineering company based in Tehran. Through custom and publicly available tools that use, among other methods, SQL Injection, spear phishing, and water holing attacks, the group was able to extract highly sensitive and confidential materials and compromise networks with persistent presence to such a severity that they have control over networks of victims in 16 countries. Cylance found significant victims in Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates and the United States.
ics  scada  cybersecurity  iran  cylance 
10 weeks ago by bwiese
Stream Real-Time Device Data into Splunk | Kepware
Tool for collecting IOT and ICS/SCADA data, traditionally to a Data Historian. Industrial Data Forwarder.
ics  scada  splunk  iot 
10 weeks ago by bwiese
New Insights into Energetic Bear's Attacks on Turkish Critical Infrastructure
The image URL redirects to a link using the file:// scheme, which forces the connection through the file protocol, which then allows the group to harvest Microsoft SMB credentials.

RiskIQ found that the SMB credential harvesting host at is not always directly included on the websites. Instead, the intermediary host at is usually present on the web pages, which, in turn, redirect visitors—most likely with some filtering to avoid unwanted traffic—to the SMB harvesting host. Additionally, the URL format of the file requested, which in this case was turcas_icon.png, is not related to the referring website. Instead, Energetic Bear seems to use a form of tagging to correlate any possible victims and their source website. The format we observed is <tag>_icon.png and <tag>.png.

Waterhole attack / Strategic Web Compromise
cybersecurity  ics  waterhole  russia  passivetotal  riskiq  swc  scada  supplychain  javascript 
12 weeks ago by bwiese
Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure « Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | FireEye Inc
TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.
triton  ics  scada  cybersecurity  fireeye 
may 2018 by bwiese
Schneider Electric: TRITON/TRISIS Attack Used 0-Day ...
chneider's controller is based on proprietary hardware that runs on a PowerPC processor. "We run our own proprietary operating system on top of that, and that OS is not known to the public. So the research required to pull this [attack] off was substantial," including reverse-engineering it, Forney says. "This bears resemblance to a nation-state, someone who was highly financed."

The attackers also had knowledge of Schneider's proprietary protocol for Tricon, which also is undocumented publicly, and used it to create their own library for sending commands to interact with Tricon, he says.

Forney points out that the malware technically had infected the safety controller, and the "attack itself would come much later" if it had not been found out.

TRITON/TRISIS is an attack framework made up of the two programs: one exploits the Triconex zero-day flaw to escalate user privileges and allowed the attacker to manipulate the firmware in RAM and then implant the RAT, the second program, according to Schneider.

In its customer advisory, Schneider recommends:

Ensure the cybersecurity features in Triconex solutions are always enabled.
Safety systems must always be deployed on isolated networks.
Physical controls should be in place so that no unauthorized person would have access to the safety controllers, peripheral safety equipment or the safety network.
All controllers should reside in locked cabinets and never be left in the “PROGRAM” mode.
All Tristation engineering workstations should be secured and never be connected to any network other than the safety network.
All methods of mobile data exchange with the isolated safety network such as CDs, USB drives, DVD’s, etc. should be scanned before use in the Tristation engineering workstations or any node connected to this network.
Laptops and PCs should always be properly verified to be virus and malware free before connection to the safety network or any Triconex controller.
Operator stations should be configured to display an alarm whenever the Tricon key switch is in the “PROGRAM” mode.
triton  ics  scada  vulnerability  firmware 
may 2018 by bwiese
Schneider Electric: TRITON/TRISIS Attack Used 0-Day ...
TRITON/TRISIS was literally a fail and didn't make it to an actual cyber-physical attack phase, according to Schneider's analysis. "We now know a real attack probably never took place. There was a mistake in the development of the malware that accidentally caused the Triconex to … be tripped and taken to a safe state. As a result, this malware that was in development was uncovered," s
ics  scada  vulnerability  cybersecurity  plc  triton  firmware 
may 2018 by bwiese
Everything We Know About Ukraine's Power Plant Hack | WIRED
two power distribution companies in Ukraine said that hackers had hijacked their systems to cut power to more than 80,000 people. The intruders also sabotaged operator workstations on their way out the digital door to make it harder to restore electricity to customers. The lights came back on in three hours in most cases, but because the hackers had sabotaged management systems, workers had to travel to substations to manually close breakers the hackers had remotely opened

To prolong the outage, they also evidently launched a telephone denial-of-service attack against the utility's call center to prevent customers from reporting the outage
scada  cybersecurity  ukraine  ics 
may 2018 by bwiese

« earlier    

related tags

-  2011  3  365  382:  advisory  alternativeto  amplifier  analytics  android  annarbor  apfs  archiv  assessment  audit  av  batch  bit  book  boots  c#  caldav  calendar  calendario  calendars  callforpapers  car  cert  ceta  chips  cli  click-dimensions  clojure  coinjacking  collaboration  collision  comp3911  control-systems  convert  converter  convertir  cooling  costs  credentials  critical  cset  csf  cso  csv  cvs  cyber  cyberkillchain  cybersecurity  cyberthreatintel  cyberweapon  cylance  damaged  data  default  dev  dhs  dragonfly  dragos  drive  embedded  emulator  energy  event  events  ews  excel  exchange  export  ficheros  file  files  fireeye  firmware  fix  flash  framework  free  from  germany  google  googleapps  googlecalendar  googlesuite  grassmarlin  hacking  hardware  heat  high  hmi  honeypot  hoses  hosting  human  ical  icalendar  icalshare  icsid  import  inbox  industrial-control-systems  infrastructure  install  invitation  iot  iran  isds  java  javascript  jetting  kalender  liquid  lnk  malware  management  mic  microfluidic  migration  mitre  modbus  multiple  network  nist  nsa  nse  office  on  online  onlinetool  open-source  open  outlook  paper  parser  part  passivetotal  password  pcap  pentest  php  playbook  plc  power  pressure  process-control  productivity  programmieren  programming  publish  python  qubes  radio  reference  repair  research  rf  risk  riskiq  riskmanagement  rmf  robot  router  rsa  russia  sabotage  sans  scada  scanner  scrm  security  semiconductor  service  share  siemens  smartphone  smb  soc  software  spearphishing  splitter  splunk  stopttip  story  study  stuxnet  supplychain  swc  symantec  synchronization  talos  tegenlicht  tethering  threat-research  threatactors  threathunting  time.ly  timezone  tisa  to  tool  tools  traffic  training  trisis  triton  ttip  ttipalarm  ueba  ukraine  uncitral  uscert  utility  vba  video  vtimezoneblock  vulnerability  water  waterhole  webapp  webdev  webdevelopment  widget  workflow 

Copy this bookmark: