The water sector is one of the critical infrastructures (CRITIS). A successful attack on the sector can lead to significant hygiene and health problems and, in the worst case, threaten human lives. At the 6th VDI conference on “Optimizing Industrial Wastewater Treatment Plants”, Greenbone Networks will provide information on cyber resilience in the water sector and how it can be achieved by identifying and eliminating vulnerabilities at an early stage.

Everything Fine Thanks to Digitization?

Digitization is seen as the savior of the hour. Even if this may be viewed critically at times, this development cannot be stopped. There are simply too many reasons in favor of digitization. But there are also many reasons that we need to take a critical look at, especially where our security is concerned. The more information technology we put in place, the more digitized attack surfaces we offer.
Malicious users of these attack surfaces can operate globally, and likewise digitized currencies like Bitcoin allow them to profit from vulnerabilities globally as well.

Unlike a bank robbery, an attack on an industrial wastewater facility is more of a a means to an end. The attacker does not want the contents of a safe, but rather targets the vulnerability as such in order to gain advantages, usually through blackmail. Not only technical systems themselves are attacked, but often also the technical and organizational environment from networks to administration. These attackers are not hackers with hoodies and matrix screen savers who just happen to have emergency on their account, but criminal organizations that are industrially and professionally organized. We must arm ourselves against them with resilient organizations, processes and solutions. This brings the topic of cyber resilience more and more to our attention.

Cyber resilience is the ability of a company or organization to maintain its business processes despite adverse cyber circumstances. These can be cyber attacks, but also unintentional obstacles such as a failed software update or human error. Cyber resilience is a comprehensive concept that goes beyond IT security. It combines the areas of information security, business continuity, and organizational resilience. To achieve a state of cyber resilience, it is important to identify vulnerabilities early, prioritize them economically, and eliminate them.

Why Cyber Resilience Is Particularly Important for Critical Infrastructures

Sustainable cyber resilience is important for companies in all industries. But it is indispensable in the area of critical infrastructure (CRITIS). As defined by the German government, this includes “organizations or facilities of critical importance to the state community, the failure or impairment of which would result in sustained supply shortages, significant disruptions to public safety, or other dramatic consequences.”

CRITIS organizations must therefore protect themselves particularly well against cyber attacks – this is required by law. The EU launched the European Programme for Critical Infrastructure Protection (EPCIP) back in 2006 and expanded and supplemented it in subsequent years. Member states are implementing the EU NIS directive in national law, Germany for instance with the IT Security Act (IT-SIG). Large economic nations have already developed regulatory bodies. In the U.S., for example, this is the National Institute of Standards and Technology (NIST) and in Germany the Federal Office for Information Security (BSI).

In Germany, the critical infrastructures are divided into 9 sectors. One of these is the water sector with the divisions of public water supply and wastewater disposal. It includes, for example, waterworks, pumping stations, water pipelines and networks, wastewater treatment plants, the sewerage system, and dam and flood protection facilities. They all play a critical role in our society.

Attacks on the water supply could therefore hit a society to the core and, in the worst case, threaten human lives. Attacks on the wastewater disposal system are just as dangerous. If it no longer functions, the result would be considerable hygienic and health problems. Since the water infrastructure uses many IT systems and electronic control systems (ICS) nowadays, it becomes an attractive target for hackers.

Incidents Show the Vulnerability of the Water Sector

In recent years, there have been numerous attacks on water infrastructures worldwide. Fortunately, there have been no serious consequences so far. However, the attacks show that hackers are exploring how to take control of control systems and prepare further attacks. In 2013, for example, Iranian hackers attempted to penetrate the systems of the Bowman Avenue Dam near the town of Rye Brooke, near New York. The dam is used to control the flow of water after heavy rains and prevent flooding of the town. The hackers managed to gain control over the flood gates’ control system. However, as these were currently offline due to maintenance, the cyber criminals were fortunately unable to cause any damage.

In March 2016, security specialist Verizon reported a cyber attack on a U.S. water utility known by the pseudonym Kemuri Water Company in its monthly Security Breach Report. Hackers had penetrated the SCADA platform. This allowed them to manipulate programmable logic controllers. They changed settings on the water flow and the amount of chemicals added for water treatment. Fortunately, the water utility quickly discovered the incident and was able to correct the settings without causing any major damage. For their attack, the hackers exploited an unpatched vulnerability in the customer payment portal.

Between November 2016 and January 2017, cyber criminals hacked several wireless routers at a U.S. water agency. The routers were used to provide secure wireless access for pump station monitoring. Fortunately, however, the attackers were not looking to sabotage, but were targeting the agency’s Internet resources. Their bill rose from an average of $ 300 per month to a whopping $ 45,000 in December and $ 53,000 in January. For their attack, the hackers exploited a vulnerability in the routers of the manufacturer Sixnet. According to its own information, Sixnet had already made a patch available in May, but the authority had not installed it.

Over the past year, Israel has been the victim of multiple cyber attacks on water supply and treatment facilities. In April, hackers undertook a major cyber attack on control and monitoring systems at wastewater treatment plants, pumping stations and sewers, the Israeli National Cyber Directorate (INCD) said in a statement. The INCD then demanded companies in the water sector to change passwords for all systems connected to the Internet-connected systems and to ensure that control system software is up-to-date. The hackers attempted to change the chlorine content of water at a water treatment plant. The attack was not successful. Had it been, it could have resulted in mild intoxication of the population served by the treatment plant. Back in June, there were two more attacks on Israel’s water facilities. This time, agricultural water pumps were affected.

Although there has not yet been a comparable incident in Germany, the Federal Office for Information Security (BSI) reports about the implementation of the necessary organizational and technical precautions to prevent disruptions in its current report on the state of IT security in Germany. In the water sector, this reveals deficiencies in the areas of network separation, emergency management and physical security. In the reporting period from June 2019 to May 2020, there were several incidents in the water sector in Germany that were due to faults in control components. Remediation of the malfunctions was very lengthy and costly. Damage was avoided by operators acting prudently and having redundancies in place.

Attack Points in the Water Sector

IT and OT systems support the water cycle. In water production (1), quality control systems and digital pump control are used to manage water inflow from various sources towards water distribution (2). Digital metering and control methods monitor water pressure and quality in the water network and are thus part of the overall IT attack surface. In sewage systems (3), wastewater pumps and pre-treatments by filters, which are monitored at central points, are used. Water treatment (4) is a critical component due to the necessary digitalized control of physical, chemical and biological processes.

Many networked IT systems and industrial control systems are therefore used in drinking water supply and wastewater disposal, enabling largely automated processes. Examples include sensors for temperature, flow rate, or chlorine content, remotely readable meters, and web portals and mobile apps for customers.

Challenges for Cyber Resilience in the Water Sector

To achieve a state of sustainable cyber resilience, water sector organizations must consider the full range of networked systems, devices and applications.

But this is not always easy. One problem is that the ICSs used in the water infrastructure come from different generations. Many of the older control systems were developed at a time when little or no consideration was given to cyber security. This leads to a heterogeneous, vulnerable IT landscape. Additionally, the high degree of automation and dependence on industrial controls makes water infrastructure particularly vulnerable to attack. Furthermore, the IT systems in use are becoming increasingly complex. This makes it difficult for companies to achieve a sufficient level of protection. The increasing networking of components within the field and control level as well as the control and process control technology increases the complexity even further.  At the same time, this increases the attack surface for hackers. They have more and more opportunities to penetrate networks, steal data or manipulate industrial controls.

Even Previously Unexploited Vulnerabilities Should Not Be Underestimated

A recent study by Kenna Security found that the total number of vulnerabilities discovered per year has increased from 4,100 in 2011 to 17,500 in 2021. On the other hand, the percentage of vulnerabilities exploited by hackers has not grown at the same rate. What is the reason for this?

Cyber crime follows the same economic rules as any other business model: least investment for maximum result. But cyber crime also suffers from the same problem as the IT industry in general: experts are a limited resource.

Companies cannot change this initial situation, but they can ensure that their attack surface is reduced. Tolerating a large attack surface, even if the vulnerabilities are not yet weaponized, is replacing control with gambling. As soon as it seems cheaper for cyber criminals or the outcome is promising, cyber crime will focus on vulnerabilities that are not yet weaponized, and the conversion of vulnerabilities into weapons will happen quickly.

Even worse is the motivation of cyber terrorists, who have so far been fortunately unsuccessful due to a lack of expertise. It is unclear whether they will gain the necessary skills and if so, when. But they do not follow the rules of economics, which makes them less predictable in selecting targets and suitable weaponized vulnerabilities.

In essence, there are two good general reasons why organizations should establish a process to manage and minimize their entire attack surface and not just focus on current (or likely) weaponizable vulnerabilities:

  • Pandemic risk: while it may not be attractive for a single criminal organization to invest in turning a more expensive vulnerability into a weapon, the more organizations choose not to do anything about that vulnerability, the more interesting it becomes. The fewer that are vaccinated, the better the pandemic spreads.
  • Automation risk: automating exploits is not only an attractive, cost-effective way to go. It significantly reduces the window of opportunity to respond with countermeasures.

Reduced Attack Surface with Vulnerability Management

Regardless of how many vulnerabilities exist, managing damage and actively countering ongoing attacks becomes exponentially expensive for organizations if not accompanied by an ongoing process that identifies, manages and reduces the attack surface.

Cyber resilience is a continuous process. It strengthens an organization’s ability to withstand an attack and enables it to continue to function during an attack. To achieve this, it is important to reduce the attack surface and thus stabilize the base. This means identifying vulnerabilities that could be exploited by an attacker and thus staying one step ahead of the attacker.

999 out of 1,000 vulnerabilities have been known for over a year. With vulnerability management, this means that these vulnerabilities can be identified and eliminated before they are exploited by an attacker. This greatly reduces the attack surface of the IT infrastructure.

Vulnerability management systems are fully automated and, thanks to features such as schedules and custom scan configurations, offer users the ability to create complete vulnerability management processes that constantly scan for vulnerabilities. As a result, vulnerability management ensures more resilient systems in the long term.

The integration of macmon NAC with the Greenbone Security Manager creates a fast-acting, fully automated security concept. New devices or devices that are absent from the network for a longer period of time are automatically detected by macmon NAC and then checked for vulnerabilities by the Greenbone Security Manager. Learn more about the partnership between Greenbone Networks and macmon secure here.

Available as a physical and virtual appliance, the Greenbone Professional Edition, based on the Greenbone Security Manager (GSM), identifies security vulnerabilities in corporate IT and assesses their risk potential. In addition, the GSM recommends measures for remediating any found vulnerabilities.

The goal is to identify points of attack before cyber criminals do and thus prevent attacks. After all, practical experience shows that 999 out of 1,000 exploited vulnerabilities were already known for more than 12 months and could therefore have been closed. The solution includes a daily security update of the vulnerability tests that are run to detect the vulnerabilities. Currently, over 87,000 vulnerability tests are available. The GSM is now used in over 50,000 professional installations and integrations across all industries and company sizes. The turnkey appliance is based on open source software and can be deployed in a very short time.

Greenbone Networks has been a technology partner of macmon secure GmbH since 2018.

How does the technical partnership between macmon and Greenbone Networks work?

macmon NAC ensures that any new end devices are scanned for malware by the GSM when they are added to the corporate network and regularly evaluates the compliance status in order to protect the network. Christian Bücker, Managing Director of macmon secure GmbH, explains: „It is vital that a corporate network be scanned regularly to maintain IT security. The result of this scan is provided by GSM and evaluated at regular intervals by macmon NAC. If the device complies with company policies, it will be permitted to access the corporate network. If the device does not comply with the policies, macmon NAC can isolate the endpoint by means of a configurable response or disconnect it from the network and notify the administrator. This ensures that network access control is fully compliant at all times.“

macmon NAC recognizes new and known endpoints and initiates scans

New devices are constantly being added to a corporate network. An administrator usually ensures that a new device is not infected with malicious code and does not pose a threat to data integrity or network security. macmon NAC detects a new endpoint when it is connected to the network and instructs the GSM to perform a scan. Depending on the result of this scan, access is either granted or denied.

macmon NAC also detects a known endpoint and initiates a scan by the GSM if the device has been disconnected from the network for too long. Some endpoints cannot be scanned regularly because they are not permanently connected to the corporate network.

For example, an employee in the field can be away from home for days or weeks. When the employee returns home, the endpoint reconnects to the corporate network, macmon NAC detects the device and instructs the GSM to perform a scan. The result of this scan is provided by the GSM: if the device complies with company policies, it will be permitted to access the corporate network.If it is not, macmon NAC can isolate the end device with a configured response, just as it would for a new end device, and again notify the administrator.

macmon NAC thus regularly checks the integrity of new and temporarily disconnected endpoints, according to the time period specified by the user.

The CEOs of macmon secure and Greenbone Networks confirm the benefits of the partnership for the security of their customers

Dr. Jan-Oliver Wagner, CEO and co-founder of Greenbone Networks: „Both macmon and Greenbone pay attention to fast, fully automated response to ensure compliance with security policies. Attackers also use automation. We counter them with an individual system team acting according to customer specifications. Potential attack surfaces are quickly and specifically isolated, checked and released. Even at 2 a.m. at night. The strengths of both companies complement each other perfectly to ensure the greatest possible security for customers.“

Christian Bücker, Managing Director of macmon secure, comments: „The great advantage of this integration is that as soon as macmon NAC detects the presence of an endpoint, a scan is carried out immediately and fully automatically. If the device is not compliant, macmon NAC is informed directly and responds immediately and automatically with a device lockout or quarantine. The key to success is fast, automatic responses without the need for administrator intervention. By combining the strengths of the two solutions, the security concept will naturally be enhanced. Macmon NAC is able to detect new devices added to the network very quickly and enforce security rules on behalf of Greenbone where it is not able to enforce these rules itself. Greenbone, on the other hand, is highly adept at identifying vulnerabilities, which is not macmon’s area of expertise.“

Integrating the Greenbone Security Manager with macmon NAC is easily done through macmon NAC’s web interface.

It was one of the most spectacular cyber attacks of all time: hackers attacked SolarWinds in the fall of 2019 and injected malware into an update of SolarWinds’ Orion platform in the spring of 2020. Customers who installed the compromised version of the network management software got the “SUNBURST” backdoor right out of the box – including numerous U.S. government agencies and large corporations. Well camouflaged, the hackers were able to spy on data unnoticed for a long time. Here you can learn if you are affected by the SolarWinds attack and how you can protect yourself using Greenbone Networks’ solutions.

The cyber criminals have thus pulled off an almost perfect coup. There is an element of irony to the attack since SolarWinds’ customers use the Orion platform to monitor their IT environment for suspicious behavior. The hackers were hiding in plain sight, as it were, and proceeded in a very targeted and extremely sophisticated manner. They first attacked SolarWinds with the specially developed “SUNSPOT” malware. This injected the malicious “SUNBURST” backdoor, also called “Solorigate”, into the “SolarWinds Orion Platform” update product line. The malware was embedded directly into the code where it obtained valid software signatures, making it perfectly camouflaged. With the update compromised, the backdoor could then be distributed to customers undetected.

Undetected for a Long Time

On 12th December 2020, SolarWinds was informed about the incident and launched an investigation. Security firm FireEye, which itself had been infected with the malware, published additional information about the intrusion into its network. According to its research, the cyber criminals had stolen various attack tools from FireEye, which the company use for testing its own customers’ security. Other SolarWinds customers also reported security breaches. In addition, during the investigation of the incident, security researchers found another backdoor that had apparently originated from a second, independent hacker group. The attackers had exploited the previously unknown vulnerability CVE-2020-10148 in the Orion platform to install a malicious web shell called “SUPERNOVA” on targets running the Orion platform. More recently, multiple new vulnerabilities have also been discovered, vulnerabilities that could allow full remote code execution if left unpatched.

In the Greenbone Security Manager, the Appropriate Vulnerability Tests Are Already Integrated

Around 18,000 customers have received the compromised SolarWinds update, making them particularly vulnerable to an attack. However, not all of them have been hacked by cyber criminals through the back door and have tapped into data. The hackers have so far concentrated on particularly attractive, lucrative targets. Are your networks also at risk? As a Greenbone Networks customer, you can find out right away as we integrated corresponding vulnerability tests into the Greenbone Security Manager (GSM) as soon as the incident became known. Our vulnerability scanning will show you whether your IT environment is at risk via “SUNBURST”/”Solorigate” or CVE-2020-10148, making you one of the potential attack targets. In addition, the GSM can check whether you have already fallen victim to “SUPERNOVA”, or the additional malware tools used by the hackers “TEARDROP” or “Raindrop”.

The Situation Is Serious, but There Are Solutions out There

Anyone affected by the vulnerabilities mentioned above should work to close them immediately using the hotfixes and patches SolarWinds has published for them as the unknown hacker group is still active and at large. Only recently, the security firm Malwarebytes announced that it was the victim of a cyber attack. Obviously, the same actors are behind this as in the SolarWinds hack, although Malwarebytes itself does not use SolarWinds software at all. In this instance, the cyber criminals misused applications with privileged access to Office 365 and Azure environments as an attack vector. Fortunately, the damage was reported to be minor and Malwarebytes software was not compromised.

All these incidents have shown that we have reached a new dimension of cyber crime. Actors are carrying out perfectly planned, complex and multi-stage attacks, first hijacking trusted software to then gain access to other more lucrative victims. To ensure such attacks have as few chances as possible to succeed, it is important to identify and close vulnerabilities as soon as possible.

Are there actually independent reviews of Greenbone Networks solutions?
Of course – we are proud to present the latest report from a leading industry magazine: “IT-Administrator tried the system [solution from Greenbone Networks] and was thrilled with its functionality”. (IT Administrator 01/2021)

In September 2020, the magazine IT-Administrator – a German professional journal for system and network administration – asked Greenbone Networks if they could write a test report about a Greenbone appliance.

The report is currently published in the January issue of the magazine. Here you can read the detailed report.

In the test, IT-Administrator took a closer look at the Greenbone Security Manager 150. The GSM 150 is a physical appliance designed for vulnerability management in small to medium-sized businesses, or organizations with medium-sized branch offices. It scans up to 500 IP addresses within 24 hours and can also be used as a sensor for larger appliances.

Everything that must be done in a standard deployment of a Greenbone Security Manager was tested: from the initial setup via the console, to configuring scans on the web interface, to evaluating a scan report.

For testing the vulnerability scans, IT-Administrator had prepared different target systems with different security status to examine the differences in the results. Authenticated scans were also part of the test.

Read the full article here (German only).

With the help of compliance policies, a company can check whether all components integrated in the system meet the required specifications. The increasing digitalization and the associated growth of new technologies create opportunities, but also risks. For this reason, the demands on compliance are increasing as well. With GOS 20.08, all compliance policies were made available via the Greenbone Security Feed and four new compliance policies were added: TLS-Map, BSI TR-03116: Part 4, Huawei Datacom Product Security Configuration Audit Guide and Windows 10 Security Hardening.

Compliance policies for different industries

What is a compliance policy anyway?

In addition to legal requirements, companies and public authorities often have their own guidelines that must be met for the secure configuration of a system. The aim is to ensure the information security of the company or authority by guaranteeing the confidentiality, integrity, availability and authenticity of information.

All specifications and guidelines that are necessary for this are summarized in one document to form a policy.

Based on the individual criteria of the guidelines, Greenbone Networks develops vulnerability tests – roughly speaking: one criterion results in one vulnerability test. Greenbone Networks combines these tests into a scan configuration.

Such scan configurations, which reflect policies of companies or authorities, are called Compliance Policies.

Example: a company releases a security policy with the following requirements:

  • Version 2 of software A is installed on the target system
  • SSH is activated on the target system
  • Software B is not installed on the target system

Greenbone Networks develops a vulnerability test for each of the requirements, which checks whether the respective condition is fulfilled.

The three tests are then combined into a compliance policy that a user of the Greenbone solutions can choose when performing a vulnerability test. During the scan, it is checked whether the conditions mentioned above are met on the target system.

New: distribution of compliance policies via the Greenbone Security Feed

Starting with GOS 20.08, all standard scan configurations, reports formats, port lists, and compliance policies of Greenbone Networks are distributed via the Greenbone Security Feed.

Among other things, this allows the publication and distribution of scan configurations for current, hot vulnerability tests. In the past, these were published as XML files for manual download on the Greenbone download website and had to be imported by the users themselves – which was very tedious and left room for mistakes, making a quick application hardly possible.

But this is not the only advantage. It also makes troubleshooting much easier and faster for the customer: objects can be updated and, if necessary, fixed for all setups with a single feed update.

In addition to this innovation, the Greenbone Security Feed has been extended by some important compliance policies.

More Compliance Policies in the Greenbone Security Feed

Four new compliance policies were added to the Greenbone Security Feed in the 4th quarter 2020:

  • TLS-Map
  • BSI TR-03116: Part 4
  • Huawei Datacom Product Security Configuration Audit Guide
  • Windows 10 Security Hardening

About the Special Scan Configuration TLS-Map

Note: TLS-Map is a scan configuration for special scans that are different from vulnerability scans. For reasons of simplicity, this special scan configuration is listed in this article along with the compliance policies.

The special scan configuration TLS-Map is helpful wherever secure communication over the Internet is required. TLS – short for Transport Layer Security – is a protocol for the secure transmission of data on the Internet. It is the successor of SSL – Secure Sockets Layer – which is why both protocols are still often used synonymously today. However, all SSL versions and TLS versions prior to version 1.2 have been outdated since 2020 at the latest and are therefore insecure.

The largest area of application for TLS is data transfer via the World Wide Web (WWW), for example between a web browser as the client and a server such as Other areas of application are in e-mail traffic and in the transfer of files via File Transport Protocol (FTP).

The special scan configuration TLS-Map checks whether the required TLS version is available on the target system and whether the required encryption algorithms – so-called ciphers – are offered.

About the Compliance Policy BSI TR-03116: Part 4

The Technical Guideline BSI TR-03116 Cryptographic Requirements for Federal Projects from the Federal Office for Information Security (BSI) is used for Federal Government projects. This means that if a federal project should be implemented, this guideline must be fulfilled. It consists of 5 parts in total:

  • Part 1: Telematic infrastructure
  • Part 2: Sovereign identification documents
  • Part 3: Intelligent measuring systems
  • Part 4: Communications procedures in applications
  • Part 5: Applications of the Secure Element API

The compliance policy, which Greenbone Network has developed accordingly, checks whether the contents of the fourth part of the policy are fulfilled. This part contains requirements for communication procedures.

The compliance policy BSI TR-03116: Part 4 in the Greenbone Security Feed tests the three main requirements – minimum TLS version as well as necessary and not legitimate ciphers – of the technical guideline.

About the Compliance Policy Huawei Datacom Product Security Configuration Audit Guide

Compliance policies for Huawei solutions have been part of the Greenbone Security Feed for quite some time.

Greenbone Networks had already developed compliance policies for the following two solutions:

  • EulerOS: Linux operating system, based on CentOS
    Related compliance Policy: EulerOS Linux Security Configuration
  • GaussDB: database management system (DBMS)
    Related compliance policy: GaussDB 100 V300R001C00 Security Hardening Guide

With a compliance policy for Huawei Datacom, a product category that also includes routers and switches with their own operating system, a third compliance policy for solutions developed by Huawei is added now.

For all three products – Huawei Datacom, EulerOS and GaussDB – there are security configurations that were specified by Huawei. Based on these configurations, Greenbone Networks has developed compliance policies which check the compliance with those security configurations. The different compliance policies are always applied if the corresponding solution is available on the target system.

For Huawei Datacom, Huawei distributes the Huawei Datacom Product Security Configuration Audit Guide. The associated, newly developed compliance policy tests, for example, whether the correct versions of SSH and SNMP are available on the target system.

About the Compliance Policy Windows 10 Security Hardening

The compliance policy Windows 10 Security Hardening includes vulnerability tests to evaluate the hardening of Windows 10 according to industry standards.

Among other things, the compliance policy checks different password specifications such as age, length and complexity of the password, specifications for the assignments of user rights, and requirements for different system devices.

Even faster integration of compliance policies with GOS 20.08

As digitalization continues, compliance requirements are growing in companies of all sizes and in all industries.

Through the direct integration of compliance policies via the Greenbone Security Feed and the inclusion of new compliance policies, the testing of target systems is even more efficient, easier and quicker, thus increasing the protection of the IT infrastructure without the need for special compliance know-how. Of course, we continue to work on new compliance policies on an ongoing basis. So be curious!

As the world of technology grows ever more complex and cybercriminals become more aggressive and exploitative in their tactics, those in positions of responsibility can no longer rely on the traditional IT security protection wall around their corporate networks to ward off cyber threats. Sooner or later an attacker will find a way in and from there it is a matter of containing the damage as much as possible and maintaining core business processes in order to continue providing customers with products and services. These practices are not sustainable and for us at Greenbone, the future of IT security is cyber resilience.

Cyber resilience is on everyone’s lips – the media, businesses, manufacturers and even governments are talking about this successor to classic IT security with increasing intensity. But what exactly is cyber resilience? How can it be implemented? What distinguishes organisations that are already resistant to cyberattacks? We at Greenbone got to the bottom of these questions with a large-scale global study alongside Frost & Sullivan. The results are now available in a report which you can read here.  Below we look at the key objectives and findings of the study:

Cyber Resilience

Core mission of the study: identify resilience characteristics

We have been working intensively in the field of cyber resilience for several years, but what makes it so important? What challenges do organisations in different industries face? Which best practices should the follow? We looked for the answers to these questions as part of the study with Frost & Sullivan.  Indeed, one of our main objectives was to identify particularly resilient organisations and analyse what distinguishes them from less resilient ones. In this way, we hope to offer companies concrete recommendations that they can act on in order to make their operations more resilient. We’ll also use what we’ve learned to further develop our proven vulnerability management technology, which we have recently started offering as a managed service.

Discovery of major data leak in the healthcare sector changed focus of the research

The report pays special attention to those organisations that form part of the Critical National Infrastructure (CNI), from water and energy to finance and healthcare. In the event of a cyberattack, CNI organisations have to take into consideration not only economic losses and reputational damage, but they also have to look at how it will impact wider society and, in extreme cases, if human lives are at risk. For example, if medical equipment is compromised or the power supply to a hospital fails, the knock-on effects could be disastrous. We therefore wanted to enhance the study with real-life examples from the CNI sectors.

As we were searching for examples, we revealed something much larger than we could have imagined: a huge data leak in the healthcare sector, with millions of patient records and associated medical images were freely accessible via a weakness in the PACS (Picture Archiving and Communication Systems) servers. No programming or coding knowledge was necessary to access what included complete medical histories with personal data such as the patient’s name, date of birth, and the attending physician, fully visible.

This discovery was so significant, we couldn’t possibly ignore it. We quickly shifted our focus to help restrict free access to this patient data as quickly as possible, working alongside authorities and IT security specialists around the globe. In cooperation with Bayerischer Rundfunk in Germany and the US investigative platform ProPublica, we helped explain the true extent of the problem. So far we have been very successful in removing access to this patent data, yet some 400 PACS systems are still connected to the Internet, making the patient data stored on them accessible to everyone. For this reason, we continue to maintain close contact with the relevant authorities. Our report on the patient data leak can be downloaded here.

A few key findings

In addition to our work in the healthcare sector, we also reviewed organisations from the energy, finance, telecommunications, transport and water sectors in the report. In total, we surveyed 370 organisations with an average of 13,500 employees from the five largest economies in the world: the United States, the United Kingdom, France, Japan and Germany. From this wide-ranging perspective, we were able to obtain answers to our core questions as well as some other interesting findings:

US companies are at the forefront of cyber resilience:

On average, only 36% of the organisations surveyed were highly cyber resilient. The USA scored highest with 50%, European companies came in around the average, and Japanese organisations were at the lowest end of the scale with only 22%.

Transport sector least resistant to cyberattacks:

Across all the countries surveyed, financial and telecoms organisations (46%) were best equipped against cyberattacks. They were followed by the water (36%), health (34%) and energy (32%) sectors, yet only 22% of transport organisations have achieved a high level of cyber resilience.

Understanding business processes is more important than budget considerations:

Whilst it’s true that the cyber resilient organisations we identified have on average a larger profit turnover and a higher IT budget, the detailed analysis in the study revealed that this is by no means decisive. What we discovered is that a fundamental understanding of the business processes and an awareness of business-critical digital resources play a far more crucial role in organisations being cyber resilient.

Eleven characteristics that distinguish cyber resilient organisations:

In our study we were able to identify three groups of characteristics that increase the cyber resilience of organisations by a factor of two, three and six. From this, we developed a “roadmap” with which organisations can increase their level of IT maturity and create a high level of cyber resilience.

You can download the Exec Summary and request for complete report, including the roadmap here:

How to become cyber resilient

In a world of growing digital complexity, and as technology becomes more ingrained in our everyday lives, hackers and cybercriminals have sought to take advantage of the situation, aggressively going after new vulnerabilities and flaws that have arisen out of this widening sphere of technological adoption. The likes of Advanced Persistent Threats and ransomware attacks have grown in sophistication and frequency, as has the damage they have caused to organisations and individuals alike.

As a result of these new attack vectors, and as organisations grow to rely on technology to keep varied operations running, IT and business leaders have sought to find a new way to protect themselves. This is where cyber resilience plays a crucial part.

I recently ‘sat down’ with The Times/Raconteur to discuss the current state of business risk, the rise of cyber resilience and to look at what organisations can do to become truly resilient. Below is a brief overview of what was discussed and the link to the article is here:

A new type of cybersecurity

The term ‘cyber resilience’ is relatively new – for us, it means that organisations are still able to function and deliver their business services even when facing an adverse cyber incident. Many organisations seek to become cyber resilient yet many of them are falling behind. This is what we learned in our recent report, conducted alongside Frost & Sullivan, which found that only 36% of organisations across six key industries in the US, UK, Germany, France and Japan are considered to be highly cyber resilient.

The report also revealed that understanding what your key business assets are is more important than budgetary considerations. Whilst certainly the cyber resilient organisations we identified tended to have an higher IT budget, the study revealed that this is by no means the final word. In fact, we discovered that having a fundamental understanding and an awareness of business-critical assets plays a far more crucial role in organisations being cyber resilient.

Indeed, our core objective with this report was to identify resilient characteristics so that we can offer companies concrete recommendations about how they can go about becoming more cyber resilient. This in turn will help us develop our proven vulnerability management technology, which we have recently started offering as a managed service.

You can read the results in the full 52-page report here: Business Risk & Cyber Resilience

During the past year, we’ve made considerable progress at Greenbone. We have added virtual machines to our solutions portfolio and have entered into new distribution partnerships to help us target the North American market, amongst others. We have grown our team significantly and continue to recruit. Currently, we are preparing to launch our first cloud-based managed service platform giving companies the choice over whether to deploy our technology as a service, by virtual appliance or by physical appliance, depending on their needs and requirements. Our goal is to always stay one step ahead of attackers and make businesses of all sizes more resilient to cyber attacks through effective resilience and vulnerability management (RVM).

Sophisticated cyber attacks are commonplace, and it’s inevitable that organizations will be targeted by hackers. This means companies need to find a way to remain operational even in the event that they are attacked. Business disruption from cyber attacks are among the greatest risks facing companies today.

Effective RVM plays a crucial role in an organisation’s business continuity planning. To make companies more resilient, our technology enables them to identify, classify and eradicate threats to their infrastructures. We continuously scan the entire enterprise network for weak points and possible attack vectors. At the same time, we help organizations identify and visualize the various risks to their operations, allowing them to prioritize those that threaten their critical business processes and associated assets. Leveraging a high degree of automation and scanning as widely and deeply as possible, we help our customers establish a state of sustainable resilience.

Our customers recognize the benefits of RVM. However, opinions do differ on how the technology is integrated into their own IT environments. And rightly so, after all, every company has its own competencies, preferences and compliance requirements. Our new cloud-based services, together with our more established physical and virtual appliances, will ensure our customer have wider choice over how to deploy and manage their RVM solution.

We also continue to take our responsibility seriously and provide our technology as a transparent, open solution. Critical infrastructures, in particular, remain an important focus of our security research. Last year, our research into vulnerable imaging servers used by healthcare providers all over the world, helped open the sector’s eyes to a considerable yet largely unknown privacy and security risk. Following this research, we helped hundreds of healthcare facilities bolster their defenses and protected the data of millions of patients. We intend to carry on along this path, making the digital world more secure for everyone.

Enormous demand for Vulnerability Management-as-a-service and as a virtual application

We are currently beta testing our new Greenbone Managed Service Platform, and have been for many weeks. From April, we will be able to offer our proven vulnerability management solution as a cloud service, which customers can use for a monthly fee. Smaller businesses, such as local medical practices, will be able to protect their networks quickly and easily, without in-house expertise. For global corporations, managed services are an interesting option as they make it easy to equip new locations with effective vulnerability management without any great expense. We have recruited an entire team of experts to develop and manage these cloud-based services for our customers. They are configuring these services with great care and diligence, and will, of course, pay particular attention to secure data exchange.

Our mid-range Greenbone Security Manager virtual appliances have been available since mid-2019 and have helped us increase revenues from our virtual solutions by almost ten times between 2018 and 2019. Although the greatest control over security data is still offered by physical appliances, confidence in virtualization solutions has grown significantly as they have advanced. As our CEO, Jan-Oliver Wagner, says: “This cross-architecture flexibility helps our customers meet their own requirements for a Resilience & Vulnerability Management solution in a targeted and efficient way.”

New distributors support international growth

Growing customer demand has validated our decision to offer a wider range of virtual appliances.To help meet this demand, we entered into a strategic partnership with the value-added distributor (VAD) ADN in 2019. This complements our long-standing cooperation with Exclusive Networks, which are distributors specializing in physical systems. In the DACH region, we now have strong distribution partners for both our physical and virtual systems.

We are also expanding more and more into the English-speaking world. For example, we recently signed a deal with InfoSec Industries, based in Florida, which gives us increased access to the North American market in particular, but also support in Central and South America.

New colleagues and a bigger HQ

To meet higher demand, we’ve also increased our headcount. Indeed, in 2019, we welcomed 21 new colleagues to the Greenbone team. This additional expertise has helped us to develop the professional service we offer. With the appointment of Elmar Geese as Chief Operating Officer (COO), we have gained a capable leader with a strong entrepreneurial background who will help us evolve our strategy, process optimization and operational controls.

In order to accommodate our rapidly growing team, we have once again significantly expanded our Osnabrück headquarters.

Conclusion: Focus on customer cyber security and more customers

Cyber attacks can have extremely serious consequences. Our mission is to provide companies of all sizes – from local medical practices to international corporations – with effective vulnerability management that is straightforward to deploy and manage. The considerable international demand for our virtual machines and the already substantial interest in our new managed service platform shows that we are on the right track. We will continue to do everything in our power to stay one step ahead of future attacks.

It’s four months since Bayerischer Rundfunk and ProPublica ran reports on our research, which revealed that vast numbers of Picture Archiving & Communication Systems (PACS) – which are widely used by health providers to share and store medical scans – were leaking confidential patient data.

X-rax from 19th century, source WikiCommons

X-rax from 19th century, source WikiCommons

During the last days we sent faxes (haven’t used fax in years) to more than 40 institutions, which should help to secure about 10 million studies and 460 milllion images from unprotected access.

We think that now’s the time for a new instalment and, while this blog post isn’t a new report, it does shine a spotlight on a few barely mentioned aspects of the data leak. It also highlights some extra noteworthy things that have happened since September 17th 2019.

A bit of history

It was Spring 2019 when we found the first example of a PACS system leaking data. We weren’t searching for one specifically, we were actually conducting some different research at the time.  However, because we discovered it, our first step was to alert the affected organization about the problem (they acted quickly and removed the system). We didn’t think much more about it at the time, other than writing the words “PACS server” on a Post-It and pinning it on our notice board.

In August 2019, we decided to revisit the topic and initial work began by establishing a base data set of connected and accessible (aka unprotected) PACS systems. We soon realized the immense scale of the issue and it became obvious that we would need the help of authorities and media outlets around the globe to draw much-needed attention to the problem. Simply put, it wouldn’t have been possible to get so many systems off the public Internet without their help. (This process still remains very much a ‘work in progress,’, as January’s story on TechCrunch highlights.

I’m thankful for the work done by so many around the globe; from authorities in Germany, the United Kingdom, France, Switzerland, the United States, Malaysia, and many other countries. This extends to all the news outlets that highlighted the need to check and change PACS systems, as well as to the hospitals and clinics who took their responsibilities seriously, and asked for specific advice. We have also spoken with quite a few information security professionals, and they all deserve kudos too. THANK YOU!

Some untold chapters

While on the topic of history, one particularly interesting aspect of our research was the sheer volume of historic medical data that was freely available on the Internet, and how this could be used to generate medical profiles.

For example, we selected a few systems, each allowing access to data that goes way back in time. The youngest archive in the sample dated from December 11th 2007.

The following graph & timeline visualizes what we found on those selected systems.


(click here for a hires version, usage is allowed given that the copyright is properly displayed).

By ‘history-building’ in this way we could see:

  • a person who had their first examination back in March 1987 and has since had 55 other radiology examinations, most recently in December 2019
  • another person who had more than 130 radiology examinations over a span of 22 years
  • The oldest data set which dated back to January 3rd, 1980; an examination that took place in the evening.

We also uncovered some further aspects that, although they don’t necessarily place patients at risk of medical identity fraud, are still important from a data privacy perspective, for example:

  • one PACS system contained usual data like the patient’s full name, DoB and examination details, however, the origin of the data was from a range of prisons and correction centers dating back to 2007. You could easily work out if someone had served prison time, which could be a clear breach of their privacy
  • Some archives contained so much historical data that it was possible to establish full family trees. One system, belonging to a local medical center, contained over 400 entries for the same family name over a span of 19 years. This type of information is ripe for social engineering.

It’s not just past data that’s at risk, its future information too. One system we found offered a very easy way to view future appointments, with each patient’s full name and DoB on display.  And because this PACS server was used by a regional health provider, it could be relatively easy to find out the patient’s address, phone number, work place and any other details, thanks to the amount of information that’s readily available to view on Facebook, Instagram, etc.


Some extra plot twists

As we are talking about the future, which includes the bright new world of Artificial Intelligence, its noteworthy that we were even contacted by vendors of medical AI solutions asking us for access the data, presumably so they could use the data to improve their algorithms. We obviously said no, not just because of EU privacy laws, but also to protect patient security and on ethical grounds. It might be better to leave that piece of the story as it is.

When we first published our research, a typical reaction from medical interest groups was: “No, no that can’t be. System used by veterinarians maybe, or education/university systems. But our hospitals and doctors take good care of privacy.” We did indeed find 72 vulnerable PACS systems being used by vets, but we didn’t use them for our research. While there is a chance that these servers hold a good amount of personal data (i.e. billing information), the health of animals is a different story than the health of people. Diligence was also needed to distinguish between the abbreviations VET and PET, as the former can relate to both veterinarians and veterans, while the latter could be a technical term for a scan: PET-CT.

It will come as no surprise that were also contacted by lawyers seeking class-action lawsuits. We did not – and will never – share details of our methodology or any detailed findings; that’s not our business.

While speaking about legal aspects, when we sent out the 140+ individual responsible disclosures to the effected health providers, we prepared ourselves to receive a bunch of ‘cease and desist’ letters. But we haven’t received any. Those organizations who received the disclosure and contacted us for more information, all (re)acted with  intent to remedy the problem and not to ‘shoot the messenger’. I’d like to thank Troy Hunt again for his work on how to handle responsible disclosures, it helped us a lot.

Randomly, we even received a message over Twitter, asking whether we found images of bone spurs. No, we didn’t, but then again, we didn’t search for any.

What’s next

We will keep an eye on the issue of unprotected PACS systems around the globe and will certainly help data protection and law enforcement authorities worldwide with their ongoing work to get the identified systems off grid. There are still more than 400 PACS systems unprotected out there, with more than 27 million studies affecting an estimate of 9 million persons.

For us, this exercise was an important example of how information security and data privacy isn’t always about highly sophisticated APTs, devious social engineering tricks, and BlackHats doing some code magic. It’s about being diligent with the basics. And basic is exactly how we kept it: no coding, no automation, no scripting. Anyone would have been able to do it.

We intend to keep this approach in mind as we conduct future research into the resilience of other critical national infrastructures.

Since we published our summarized findings about the data leaks related to unsecured PACS servers across the globe, one question remained when looking at the situation and the continued access we have to the majority of the systems we found and measured more than 3 months ago. What else can we do to get as […]