By Gregory Hale
Patching is often ineffective in providing protection from the multitude of vulnerability disclosures and malware targeting critical infrastructure systems today, new research shows.
While patching such systems is important as part of an overall defense in depth strategy, the difficulties of patching for industrial systems mean that compensating controls are often a better method of providing immediate protection, according to research from Tofino Security.
Since the discovery of the Stuxnet malware in 2010, industrial infrastructure has become a key target for security researchers, hackers, and government agents. Designed years ago with a focus on reliability and safety, rather than security, Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) are often easy to exploit.
As a result, there has been exponential growth in government security alerts for these systems in the past two years. In addition, they have attracted some of the most sophisticated (Stuxnet, Night Dragon, Flame) and damaging (Shamoon) cyber attacks on record.
The report, conducted by Eric Byres, CTO and vice president of engineering at Tofino Security, found:
• The number of vulnerabilities existing in SCADA/ICS applications is high, with as many as 1,805 vulnerabilities not yet found existing on some control system computers. After analyzing the amount of software on the average control PC in a refinery and then using a metric called Defect Density to calculate the number of expected vulnerabilities, the research showed this one refinery had 1,805 possible vulnerabilities for the average PC.
• The frequency of patching needed to address future SCADA/ICS vulnerabilities in controllers and computers likely exceeds the tolerance of most SCADA/ICS operators for system shutdowns. Unlike IT systems, most industrial processes operate 24×7 and demand high uptime. Weekly shutdowns for patching are unacceptable.
• Even when a user can install patches, they can be a problem. There is a 1 in 12 chance any patch will affect the safety or reliability of a control system, and there is a 60 percent failure rate in patches fixing the reported vulnerability in control system products. In addition, patches often require staff with special skills. In many cases, such experts often do not have proper certification for access to safety regulated industrial sites.
• Patches are available for less than 50 percent of publicly disclosed vulnerabilities.
• Critical infrastructure operators are reluctant to patch as it may degrade service and increase downtime.
When patching is not possible, or while waiting for a semi-annual or annual shutdown to install patches, an alternative is to deploy a workaround, also known as a “compensating control.” Compensating controls do not correct the underlying vulnerability; instead, they help block known attack vectors. Examples of compensating controls include product reconfigurations, applying suggested firewall rules, or installing signatures that recognize and block malware.
Another compensating control is rule and protocol definitions that address newly disclosed vulnerabilities. They provide a way for automation system vendors to create and securely distribute malware protection. Operators benefit from a package of tailored rules they can install without impacting operations. The result is critical industrial infrastructure facilities can quickly and effectively defend themselves against new threats.
“My research highlights the multiple challenges with patching for SCADA and ICS systems,” Byres said. “To secure facilities, critical infrastructure operators should pursue a defense in depth strategy that includes patching when possible, and use compensating controls for protection when patching is not possible.”
Click here for more information on ICS and SCADA patching from Eric Byres.
By Gregory Hale
Chief executives are in a constant state of alarm mode. They have to be thinking of the future direction of the company while making sure it is running as smoothly as possible so they can reap the greatest dividends to ensure the company’s profitability now and in years to come.
They need to plant seeds for future growth, while constantly putting out fires on any of the breaking trends they face on a daily basis. Two images that seem to contrast one another, but seem to truly come into play. Up until the past few years, the fires breaking out were difficult, time consuming, and sometimes expensive, but they were manageable because there was visibility.
But then Stuxnet, Duqu, Flame, Night Dragon and Shamoon, all forms of some type of cyber attack, hit companies that either caused severe damage or stole some vital information.
Add one more fire to the list.
All of a sudden security, while always a thought in leaders’ minds, is now a top priority.
It only makes sense. Just look at some of the latest reports. Poughkeepsie, NY-based Central Hudson Gas and Electric is now working with state and federal authorities and industry groups to investigate a cyber attack in late February where hackers gained entry to as many as 110,000 customer accounts.
Employees detected the computer system intrusion Feb. 20. The attack occurred over a weekend, and as a result of regular control procedures, employees found the attack and reported it, the utility said.
On top of that, look at how malicious software downloaded by offshore oil workers incapacitated computer networks on some rigs and platforms, exposing gaps in security. In the offshore oil industry, that has to be a raging nightmare.
Some of these infected files downloaded directly through satellite connections, while other malicious files came aboard on laptops and USB drives infected on land.
With the millions, if not billions, of dollars in play, oil rigs, like any major organization or company, have a target on their backs and it seems amazing they all don’t have a defense in depth program that can ward off or isolate attacks that could injure the network.
The list of attacks and potential exposure goes on. But the end result is corporate data losses hit the highest levels this year since 2008 as companies work to improve data security strategies against a greater variety of more sophisticated IT attacks, according to one KPMG report.
Leaders at companies still view security as a cost center versus a potential revenue generator. After all, isn’t the real idea behind security keeping the systems up and running? If a manufacturer has a solid security plan in place that allows the system to stay up and running, they are able to produce more product, which means more revenues, which means more profits. That concept is fairly simple and straight forward, and there are folks at the top level (meaning chief executives) beginning to embrace the idea.
Yes, there are plenty of factors in play when it comes to security, but in the simplest form, manufacturers still need to keep their eye on the ball and make sure they know what they have to do to keep their systems, and assets, up and running. The message has to come from the top and it needs to be steady and consistent.
Much like safety, security is a vital part of any manufacturer’s being today and chief executives are starting to catch on. When that idea does catch on, it will be easier to safeguard the system and quell the security fire.
Talk to me: email@example.com.
By Richard Sale
One year after U.S. cyber investigators uncovered a five-year-old Chinese hacking venture called Shady RAT that looted “trillions of dollars worth of intellectual and corporate data from U.S. companies,” the response of the corporations to the threat is still loosely coordinated and ineffective, former U.S. intelligence officials said.
“Companies think first of their shareholders or shielding their name, not safety,” one official said. “They have a phobia about publicity.”
“This is a very sensitive matter which companies find it hard to talk about or address,” another official said. “They feel that the government should be protecting them when, in fact, they should be protecting themselves.”
Whether this means companies are ignoring the attacks or they are quietly hiking their security posture remains unclear, the result is in most cases, it has been ineffective, sources said, and yet more companies, like oil giant Saudi Aramco, are suffering from major targeted attacks.
Even the U.S. patent offices “are a very attractive target for espionage,” said James Lewis, a cyber expert at CSIA in Washington. “For hackers, its one-stop shopping. Why waste time when you can you can go to the source and get the finished product.”
Shady Rat is no different than other attempts by China to evade security and loot the property of U.S. corporations and federal agencies. They have been looting U.S. banks of hundreds of millions of dollars a year, said Lewis. Only one bank, Citi group went public with their losses.
In a 14-page report issued last year, the security firm, McAfee listed “72 companies in 14 countries it claimed have been the victim for more than five years of cyber attacks siphoning intellectual property – including government data, business dealings and corporate research.”
Victims included government bodies in the United States, Taiwan, South Korea, Vietnam and Canada, said Dmitri Alperovitch, vice president of threat research at McAfee. Fifty of the victims included “corporations government agencies (particularly defense contractors) and nonprofits based in the United States. Other sites infiltrated included the United Nations and Associated Press.”
U.S. patent offices “are a very attractive target for espionage. For hackers, its one-stop shopping. Why waste time when you can you can go to the source and get the finished product.”
– James Lewis, CSIA cyber expert
One U.S. intelligence official said that malware has been removed from most sites, but said the case is still “on-going.” The weapon used by attackers was the common email.
In the case of the United Nations, the hackers broke into the computer system of its secretariat in Geneva in 2008, hid there for nearly two years, and combed through reams of secret data, McAfee said.
“Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” Alperovitch said in the report.
“What is happening to all this data … is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”
McAfee learned of the extent of the hacking campaign in March 2011, when researchers discovered logs of the attacks while reviewing the contents of a “command and control” server they discovered in 2009 as part of an investigation into security breaches at defense companies.
It called the attacks “Operation Shady RAT” and said the earliest breaches date back to mid-2006, though there might have been other intrusions. (RAT stands for “remote access tool,” a type of software that hackers and security experts use to access computer networks from afar).
Some of the attacks lasted just a month, but the longest — on the Olympic Committee of an unidentified Asian nation — went on and off for 28 months, McAfee said.
In February 2011, McAfee warned hackers working in China broke into the computer systems of multinational oil and natural gas companies to steal bidding plans and other critical proprietary information. Exxon Mobil, Royal Dutch Shell, BP, Marathon Oil, ConocoPhillips and Baker Hughes were the six companies targeted in the attack.
“Night Dragon” attacks relied on a combination of spear-phishing, social engineering, Windows bugs and RATs to guarantee success. The catch is none of the tactics were particularly sophisticated, said McAfee, which uncovered the assault emanating from China and consisting of covert attacks targeting oil, energy and petrochemical companies as far back as November 2009.
“(The attacks) were very successful,” Alperovitch said. The information the hackers obtained had huge value to competitors.
That information included financial documents related to oil and gas field exploration and bid negotiations, as well as operational details on oil and gas field production supervisory control and data acquisition (SCADA) systems. That attack showed security needs to be strong from the field all the way through the enterprise. You never know where the attack could occur.
By Nicholas Sheble
“APTs (advanced persistent threats) are not a ‘what,’ but a ‘who,’” said Daniel Teal the chief technology officer at CoreTrace. It’s particular people who are after you, your products, or what you know, your information.”
“They have resources, expertise, and the time to get you.” APTs have delivered the famous cyber attacks that are familiar in the mainstream like Stuxnet, Aurora, Night Dragon, and others.
An advanced persistent threat (APT) is a cyber threat or cyber attack where the hacker has the ability to evade detection and the capability to gain and maintain access to well-protected networks and the sensitive information in them.
The hacker is adaptive and well resourced. The persistent nature of the threat makes it difficult to prevent access to one’s computer network and, once the threat actor has successfully gained access to one’s network, very difficult to remove.
The hacker has not only the intent but also the capability to gain access to sensitive information stored electronically. ISSSource has reported before on APTs and the website contains an informative white paper on them.
Beyond discussing the objectives of APTs, Teal spoke Thursday during a company webinar entitled “Combating Advanced Persistent Threats: The Case for Application Whitelisting-based Solutions,” about potential targets, what the primary weapons include (like memory attacks), and the best solutions to stave off such attacks.
One of those methods includes a compelling case for application whitelisting-based advanced threat protection platforms.
Application whitelisting is a concept whereby only authorized applications can run on the network and its nodes. So rather than searching out malware using antivirus software, the system blocks everything — except those functions that the user designates to run.
The anti-malware applications of this technique suppose that malware never gets on the whitelist. As long as the whitelist remains malware-free then malware cannot run. Teal said whitelisting can stop all APTs.
Nicholas Sheble (firstname.lastname@example.org) is an engineering writer and technical editor in Raleigh, NC.
By Gregory Hale
There is no better term around today that sums up the requirements for oil and gas drillers than two simple words: Real time.
With millions, if not billions, of dollars at stake, there is no fooling around.
The easy days of oil and gas exploration are long gone. Now, E&P companies must not only use more sophisticated technologies to hike business intelligence and identify profit opportunities upstream, but they must also employ cost effective ways to send that information to decision-makers. They know they need to get away from proprietary software and custom solutions with every engagement, and to move toward an industry specification that enables interoperability, security, performance, reliability, cost, and affordability instead. While workers pull out oil upstream, everyone within the organization must be in sync to hike business objectives from the ground all the way to the gas pump.
With oil and natural gas supplying more than 60 percent of our nation’s energy, there are close to 2,000 rigs currently drilling for oil and gas in the United States, according to a survey by Baker Hughes for the U.S. Energy Information Administration. These drillers are seeking a secure connection to speed up application deployment by cutting out manual processes and unrelated management systems. One challenge they face is how to decrease complexity and costs while ensuring an integrated network that allows for secure data transfer.
There is no doubt companies need information quickly and efficiently before, during, and after drilling operations. They also need to move the incredible amount of data collected securely between all disparate systems. By ensuring decision-makers will be able to collect, decipher, and put data in the proper context, companies can make accurate and timely decisions.
Furthermore, the “Night Dragon” attacks that went as far back as November 2009 demonstrate the need for more security. Hackers were able to access oil companies’ systems and steal information including financial documents related to oil and gas field exploration and bid negotiations, in addition to operational details on oil and gas field production Supervisory Control and Data Acquisition (SCADA) systems. That attack emphasized security must be strong from the field all the way through the enterprise.
Big Cost, Big Gain
Drilling for oil or gas is a science, and with an incredible amount of money on the line, people need to make the right decisions in real time.
Most wells today are directional, which does not mean that they are straight up and down, rather they hit a specific spot and then level from an angle at great distances. To reach this level, a rig must drill the hole while a Measurement While Drilling (MWD) tool provides directional information and an Electronic Data Recorder (EDR) monitors the operation.
The MWD tool is an electronic downhole tool capable of gathering telemetric and formation data at the point of contact and then transmitting it up-hole during drilling operations. This allows the rig to steer in real-time. The EDR system consists of sensors, data acquisitions, computers, and a database. It acquires data from a large number of rig sensors, displays it to the rig crew and other parties, and then stores it in a database.
From the beginning, it is a challenge to get the MWD data and transmit it securely to the EDR system so the crew can easily see the real-time telemetric and formation data and make steering and drilling decisions. That is where the Wellsite Information Transfer Specification (WITS) comes into play. This protocol provides a simple link that allows the MWD systems transmit data to the EDR system in real time.
WITS has multiple communication levels. The Level 0 specification provides a real-time connectivity standard for sharing information between MWD downhole drilling devices and systems that support the WITS protocol. Kepware developed a suite of WITS Level 0 communication drivers that provide the ability to easily transfer downhole drilling measurements to HMI, SCADA, and OPC Client applications.
The MWD tool gathers drilling-related measurements downhole and then digitally transmits the data to the surface using mud pulser telemetry or other advanced technologies, such as electromagnetic frequency communications or wired drill pipe. MWD systems take several measurements vital to drilling operation, such as Gamma Ray, compass direction, drill bit direction, borehole pressure, temperature, vibration, shock, torque, and so forth.
WITS allows the transfer of this wellsite drilling data from one computer system to another through the use of a fixed format ASCII data stream consisting of discrete data records. Each data record type generates independently of the others. Each type also has a unique trigger variable and sampling interval.
Kepware’s WITS drivers support bi-directional communications where the driver can read from or write to the WITS data stream through OPC or any of the other client interfaces available on the KEPServerEX Platform. By pairing KEPServerEX’s Advanced Tags Plug-In with any of KEPServerEX’s communication drivers, users can create bi-directional communications with PLCs and other data sources.
The communication goes two ways because WITS incorporates the ability for a remote computer system to send instructions to the sending system to set or change certain parameters, including the type of data transmitted and the interval for transmission.
In addition, there is another specification making the rounds and that is Wellsite Information Transfer Standard Markup Language (WITSML).
WITSML is an industry initiative to provide open, non-proprietary, standard interfaces that allow instrumentation and software to work together to monitor and manage wells, completions and work overs.
While the goal of WITS and WITSML is essentially the same, the technology is not. WITS uses a binary file format for transferring wellsite drilling data. WITSML is web-based and built on XML technology, which is platform and language-independent.
Oil giant Chevron uses the latest digital technologies in their mission control centers to focus on utilizing real-time data to make collaborative decisions in drilling operations, or in managing wells and imaging reservoirs, for higher production yields. The company’s goal is simple: They want to improve performance and increase productivity and profitability. By using such technologies at these mission control centers, the company thinks it will save $1 billion a year.
Proprietary systems that operate in the field have gone the way of the typewriter. With separate companies often working together in a drilling operation, the only previous consistency in their communication systems was there was no consistency. In the effort to determine how to transfer data with each other, the partners were always starting from scratch. It took time to create new software, test it, and then debug it before the two firms’ data collection and analysis systems could communicate. It not only wasted time, but it also was expensive and typically lost data.
With WITS, drillers are able to quickly connect, communicate, and collect data to make real-time decisions that can save time and money. They need a flexible and scalable solution to connect, manage, monitor, and control devices and software. They also need to manage communications through a robust platform that supports open standards such as OPC, DDE, and ODBC and propriety communication interfaces, protocols, and APIs. Supporting these open standards and proprietary communications improves operations and enables better decision-making through all levels of the organization.
Imagine the communications challenges for a project like Exxon Mobil’s complex Sakhalin-1 Project in the Arctic. Exxon Neftegas Limited (ENL), a subsidiary of Exxon Mobil Corp., is the operator of the Sakhalin-1 Project located offshore the Sakhalin Island. Partners include the Japanese company Sakhalin Oil and Gas Development Co. Ltd.; subsidiaries of Russian state-owned oil company Rosneft, RN-Astra and Sakhalinmorneftegas-Shelf; and Indian state-owned oil company ONGC Videsh Ltd.
The first phase of Sakhalin-1 consisted of an onshore drilling rig with extended-reach wells and an offshore drilling and production platform. At 230 feet tall, the Chayvo land-based drilling rig named Yastreb is the largest and most powerful land rig in the industry, designed to withstand earthquakes and severe Arctic temperatures.
Yastreb drilled down and then horizontally under the sea floor for more than seven miles, making this extended-reach well one of the longest in the world. Extended-reach wells reduce development costs and minimize marine impacts by avoiding the need for additional offshore structures.
While the Sakhalin-1 Project may be extreme, it just goes to show how important communications are in all aspects of the operation. With major companies working on the same project, it is vital to get the data out to the partners. One of the major challenges faced by exploration and production companies is receiving multiple types of information every day from different directions and sources. It is not always easy to retrieve this data on demand, and in some cases, it never reaches the recipient because it is misfiled or lost.
With the common consortia of oil and gas companies working at drilling sites today, each joint venture partner demands timely information on progress so operational and financial decisions can be made. Time is money. The operating company needs to have a reliable, efficient, and consistent way to distribute information. This often puts pressure on operating company staff at critical times. Instead of searching for the information, operators would rather be analyzing the data.
It all starts and ends with the product energy companies are pulling out of the ground. The need remains simple: Pull timely and accurate data from the site, put it into context, and then get it in the right hands. This need is simple for sure, but the complexity of the tools is becoming greater. The end result means more energy, more product, and more profit – all in real-time.
Gregory Hale is the editor/founder of Industrial Safety and Security Source (ISSSource.com).
By Gregory Hale
In an environment where companies are averse to revealing details on whether or not they suffered a cyber incident, a small indicator showing the growth of attacks comes from ICS-CERT with nine reported incidents in 2009, to 41 in 2010 to 198 last year.
In ICS-CERT’s first year, the organization recorded nine cyber incidents, four of which were actual incidents. Two of those resulted in sending out onsite response teams, while two others ended up treated remotely. Reports came in from the energy, water, dams and a cross-sector.
“The ICS-CERT report represents an important metric for cyber security of control system,” said Kim Legelis, vice president at Industrial Defender. “By reporting a four-fold increase of incidents, the ICS-CERT shines the light on the need for control systems operators to be vigilant with respect to cyber security.
In 2010, there were 41 incident reports with eight resulting in onsite response teams, while an additional seven incidents involved remote analysis, according to a report issued by ICS-CERT.
The industries involved also grew with energy, water, dams, nuclear, chemical, government, critical infrastructure and cross-sector.
ICS-CERT received multiple reports of secure shell (SSH) brute force attacks attempting to access ICS and critical infrastructure companies who operate industrial control systems (ICS).
These incidents marked an increased awareness of the attack potential and attractiveness of targeting ICS’, according to the ICS-CERT report.
Multiple spear-phishing incidents also ended up reported that year. That is important to remember because spear phishing remains a big threat for most companies and organizations.
“One particularly interesting aspect of the report is the noted increase in spear phishing attacks,” Legelis said. “Spear phishing has long been used by attackers in other industries to provide an internal beachhead from which an organization can be infiltrated. Because social engineering attacks rely on the ability to mislead employees into unknowingly providing an entry point for attackers, they make attack prevention extremely difficult. ICS cyber security professionals are relying alternative methods to combat risks. Many have found logging and security monitoring technologies essential for detection, while advances in white listing can protect critical systems from malware infection and data exfiltration.”
Other threats from 2010 include:
Mariposa infections in Critical Infrastructure and Key Resources (CIKR). Defense Intelligence identified the Mariposa botnet in May 2009. Although the primary command and control (C2) infrastructure went down in December of that year, ICS-CERT continued to receive malware infection reports into early 2010, at least one of which resulted in an onsite incident response to determine whether the malware had breached the control system network. The operations executed by the botnet were diverse, in part because third parties could rent out parts of the botnet. Confirmed events include denial-of-service attacks, email spam, theft of personal information, and changing the search results a browser would display in order to show advertisements and pop-up ads.
Stuxnet. Stuxnet, the first ever malware specifically written to target ICS, was discovered in 2010. ICS- CERT analyzed the malware and its impacts to control systems in coordination with various government agencies, law enforcement, industry, and other organizations such as Symantec, Microsoft, CERT Bund, Siemens, and various sector ISACs (i.e., Energy, Chemical, Nuclear, Dams, Water, Transportation).
In 2011, ICS-CERT received 198 reports of incidents. Of those 198, seven resulted in the deployment of onsite incident response teams. An additional 21 incidents involved analysis efforts to identify malware and techniques used by attackers.
In addition, even more sectors were a part of the attack scenario in the year with energy, water, dams, nuclear, chemical, government, critical infrastructure, cross-sector, communications, transportation, information technology also joining in to name a few.
Quite a few of the Internet facing control systems employed a remote access platform from the same vendor, configured with an unsecure authentication mechanism. ICS-CERT coordinated with the vendor to mitigate the authentication vulnerability and also took on the task of identifying and notifying the affected asset owners.
In all cases, ICS-CERT will work with reporting organizations to help determine if the control network was compromised and provides mitigations to detect and mitigate the activity.
Some examples include:
• ICS-CERT worked with several companies that were part of the Night Dragon attacks, first reported in February 2010, targeting global oil, energy, and petrochemical companies. Hackers moved deliberately through networks, trolling for sensitive data and intellectual property.
• ICS-CERT worked with several organizations impacted by the Nitro attacks, where companies involved in research and development of chemical compounds and materials were the targets of sophisticated attacks. Reports indicated the attackers gathered data from across the victim networks and moved it to internal staging servers to make data exfiltration more efficient.
These incidents highlight the activity of sophisticated threat actors and their ability to gain access to system networks, avoid detection, use advanced techniques to maintain a presence, and exfiltrate data. ICS-CERT also collaborated with the international cyber security community working with over 30 different countries and, in most cases, interfacing directly with the international Computer Emergency Response Teams (CERTs) to coordinate responses and reach out to affected organizations and vendors.
Editor’s Note: This is Part I of an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
A very complex worm called Flame has been discovered attacking companies in the Middle East, and it is an excellent example of what security experts call an Advanced Persistent Threat (APT). Figuring out how to defend against APTs is a major focus in the IT security world.
Now while Flame was busy attacking the Middle East, I was in Abu Dhabi at the International Cyber Security Forum for Energy and Utilities, listening to a talk by Paul Dorey called “Advanced Persistent Threats – A Real Problem with Real Solutions.” Paul’s talk focused on security for the IT industry, but there were important lessons on managing attacks in the ICS/SCADA world.
First, a little background. APTs are carefully crafted attacks against a focused target designed to be effective over an extended period of time. Ricard Bejtlich in his TaoSecurity Blog says it well:
• Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture.
• Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
• Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term “threat” with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn’t degrade or deny data).
Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.
Now some people claim that APTs are just marketing hype, but Paul offered some chilling case studies showing that APTs are very real threats. Flame is also good example of an APT, but so are Stuxnet, Nitro, Night Dragon and Duqu. These are all attacks discussed in previous papers and blogs. Trying to wish away APTs as hype is a clear case of sticking one’s head in the sand.
Paul went on to discuss the seven advanced approaches that the best companies are using to deal with APTs. This column will discuss the first approach.
Advanced Approach #1 is to focus your protection efforts on your most important assets. It would be ideal to protect everything perfectly and do it all the time. Unfortunately modern systems, whether they are IT systems or control systems, have become too complex to achieve perfect and uniform security.
So the smart IT teams are focusing their scarce security resources on securing those assets that really matter to the survival of the company. They do not rely solely on a perimeter firewall to keep all the bad stuff out of the company (a technique known as a Bastion Model, which bases a security design on hiding behind a single monolithic solution which could result in the possibility of a single point of failure). Instead, they install additional layered defenses directly protecting key assets such as servers containing sensitive financial or intellectual property information.
There are good reasons for using this approach. The obvious one is that it allows a defense in depth strategy, rather than a bastion strategy. It also allows the company to focus additional money, effort and diligence on a few core assets. For example, it is a lot easier to carefully review the audit logs for two servers every day, rather than two hundred servers. Tasks that are highly focused are more likely to be carried out by over worked security staff.
The third reason is that these assets are the same ones the bad guys will focus on. Sure hackers and worms will go after any undefended computer, but in most cases these victims are just a stepping stone to the real target. Focusing your defensive efforts on the same things that your adversary is focusing on makes good security sense.
The strategy of focusing your defenses also works for ICS and SCADA security. Every control system has a few assets that would seriously impact production, safety or the environment if successfully attacked. These might be the safety integrated system (SIS) in a refinery, the PLC controlling chlorine levels in a water filtration plant, or the RTU in an electrical substation. Every control engineer knows what really matters to his or her particular operation. Aggressively protect this asset and the chance of a truly serious cyber incident is massively reduced.
Consider Stuxnet. Symantec reports the worm infected over 100,000 computers, 60% of these in Iran. But its ultimate target had to be the PLCs and drive controllers running the enrichment centrifuges. It wouldn’t have mattered if Stuxnet had infected one billion computers; if it could not get to the PLCs, it would have failed in its mission. Had Iran’s defense focused on protecting those PLCs, their enrichment process likely would never had been impacted. Clearly, they focused more on a bastion security model which ultimately failed them, allowing Stuxnet to impact at least 1000 centrifuges.
Don’t get me wrong, neither Paul nor myself are advocating to give up on defending less critical assets or the network in general. This makes no more sense than a knight giving up the field and hiding in his castle.
What is needed (and is missing) is a balanced approach to system security. As an industry, we focus on trying to defend the entire field and forget about the castle containing the royal family. As long as the battle remains in the open, we think we are doing well. But when Ninja assassins (with names like Nitro, Duqu and Flame) start to sneak in, defending every laptop and desktop won’t seem all that important once the grid is down or the plant is leaking toxic chemicals.
So install those firewalls and Intrusion Detection Systems between IT and ICS networks. Build yourself what NERC-CIP calls an Electronic Security Perimeter (ESP). There is nothing wrong with that as part of a security strategy. Just remember to balance it with a focused defense, protecting what really matters to your process or company. Forget to focus and we will win the battle, but lose the war.
Eric Byres is chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.
By Gregory Hale
Critical infrastructure organizations should be on alert because they will be the target of a cyber attack before long.
Over exaggerated hyperbole from folks watching the cyber security environment? Hardly. Just cold hard facts.
If Flame taught the industry anything, it is professional hackers can get in and find out details and nuances of any system they want to. It seems Flame did just that, as Duqu did before that. What they are looking for and what they have in store for potential victims remains to be seen. But for now, operators of critical infrastructure should be on alert. Not only because of the possibility of being collateral damage in a cyber war incident, but also because, as Night Dragon showed, there are organizations, companies, and countries trying to get in and steal vital information.
In the Night Dragon case, the attackers compromised perimeter security through SQL injection attacks on extranet web servers; targeted spear-phishing attacks aimed at mobile workers’ laptops, and took control of corporate VPN accounts. They were able to get in and find out financial documents related to oil and gas field exploration and bid negotiations, as well as operational details on oil and gas field production supervisory control and data acquisition (SCADA) systems.
Companies today need to protect against any possible attack vector from any source globally. Just take a look at Stuxnet.
As ISSSource reported last September, we know Stuxnet was the creation of a joint U.S., Israel project. What continues to astound is the thought other operators of critical energy sources, like electric, water, oil, coal, and nuclear among others are not moving faster to create a solid defense in depth posture to keep out the bad code that can lead to the destruction of a facility.
The idea originally espoused once we learned about the originators of the Stuxnet worm and the targeted victims was: “It was the good guys against the bad so we are not a target.” That mindset seems to be winning out throughout the manufacturing automation industry. Unfortunately, that is a very misguided thought process. Protection is paramount.
Stuxnet is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The code, which is currently out on the Internet, used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures.
The worm used at least four zero-day exploits and had Microsoft Windows driver modules signed using genuine cryptographic certificates stolen from respectable companies, contained about 4,000 functions, and utilized advanced anti-analysis techniques to render reverse engineering difficult.
As ISSSource’s Richard Sale reported back in October, Stuxnet had its true origin in the waning moments of George W. Bush’s presidency in 2009, said former senior intelligence officials, one of whom worked for the National Intelligence office.
At the time, President Bush wanted to sabotage the electrical and computer systems at Natanz, which is a fuel enrichment plant in Iran. After Bush left office, President Barack Obama accelerated the program, these sources said.
The groundwork for the plan began much earlier though. In 2007, Idaho National Laboratory (INL) inked a development contract with Siemens the purpose of which was to help Siemens study its own computer weaknesses, the sources said. Quite a few suppliers have these types of pacts with INL to test platforms to find and resolve weaknesses.
In 2008, shortly after Siemens brought in the system for analysis, the Department of Homeland Security got wind of it and teamed with INL to study Siemens PCS 7 or Step 7 platform which runs all sorts of sensors and machines in the process control system, the sources said.
As it turned out the system they were testing was also the same system running the nuclear enrichment plant in Natanz.
While the technical plan of creating the Stuxnet virus was ongoing, Israel was training operatives, or as it turned out double agents, to plant the worm using a corrupt “memory stick.32,” said former and serving U.S. intelligence officials.
These sources, who requested anonymity because of their close proximity to investigations, said a saboteur at the Natanz nuclear facility, probably a member of an Iranian dissident group, used a memory stick to infect the machines there. They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility.
“Iranian double agents would have helped to target the most vulnerable spots in the system,” one source said. In October 2010, Iran’s intelligence minister, Heydar Moslehi said an unspecified number of “nuclear spies” were arrested in connection with Stuxnet.33 virus.
These acts against Iran will not go unpunished. It only makes sense Iran will find a way to fight back in this new era of cyber warfare. But put that thought aside for a moment, code is out there that has proven it can get into systems and take them over. Stuxnet code is on the Net and there for the picking. A modified version or just a copy cat can end up sitting on a system of choice just lurking and waiting for a moment to pounce.
Stuxnet is scary code. The cold hard fact is more manufacturers need to focus on creating a defense in depth plan.
Gregory Hale is the founder and editor of ISSSource.com.