Malware Report: Learn from Past Attacks

Wednesday, March 9, 2011 @ 03:03 PM gHale

By Gregory Hale
Stuxnet was the biggest and most noteworthy attack on the industrial control environment, but it was not the biggest in terms of documented and investigated malware incidents, according to the Security Incidents Organization’s (SIO) 2011 edition of the Repository of Industrial Security Incident’s (RISI) annual “Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems Resulting from Malware Infections.”

“Stuxnet certainly wasn’t the first to attack a control system,” said Eric Byres, chief technology officer at Byres Security. “Malware has been around for a long time and the catch is all malware writers learn from the past. We have to start to learn from what worked and failed in attacks and defenses.”

That is where the RISI report comes in. It focuses and investigates incidents that occurred over the years and gives actual analysis on what happened and how and end user can prevent it in the future. A copy of the malware report costs $595, but readers are eligible for a 10 percent discount through ISSSource.com.

As of the end of 2010, the RISI database contained 60 confirmed malware incidents that occurred between 1982 and 2010. While that may not seem like a huge number of incidents, it is rare when any company reports an incident. When a report does come in analysts review them in detail to identify trends and expose the vulnerabilities exploited in past infections.

“We provide a realistic assessment of the risk of cyber security to industrial operations,” said John Cusimano, SIO executive director and director of exida’s security services division. “We separate fact from fiction. We investigate and study these incidents. We identify common factors that contributed to incidents so we can use that to prevent future incidents. Share lessons learned from historical data.”

What the Security Incidents Organization wants to do is provide information and data from over a time period that can give perspective and act as a benchmark to possibly avoid future incidents and help give ideas on how to get funding for projects.

“We provide statistical information for business cases that security managers must write to get funding for projects,” Cusimano said.

Some of the facts Cusimano pointed out were the impact of malware incidents. They found loss of staff time was the top result, however, far more dangerous was the loss of view category which was the second area found to be an issue.

“Loss of view is akin to driving with your eyes closed,” Cusimano said.

The number four impact of a malware attack was the loss of equipment control.

“Lost of equipment control is quite scary because it means the control system was unable to perform its control function due to the impact of the malware,” Cusimano said.

In terms of what the report means to the industry, it goes to show with more knowledge end users will be better prepared.

“This is absolutely critical we continue to do this or we are going to get over run,” Byres said. “Basically, we are going to lose the arms race with the hacking community and the virus developers unless we start to pay more attention and start to understand their practices and understand our failures and successes.”