ISSSource White Papers

Posts Tagged ‘espionage’

Friday, August 21, 2015 @ 04:08 PM gHale

Organizations are coming to terms that insider threats can be one of the most serious security challenges they face.

Developing a program to mitigate internal threats has become more urgent with the growing complexity of workplaces and the fact that insider threats are becoming more difficult to detect, said a report from consulting firm Deloitte. The threats can include fraud, espionage, IT sabotage and theft of intellectual property.

Cyber Criminal Minds Working Overtime
Firms Fear Nation-State Attacks
Simple, Sophisticated Attacks Growing
Zero Day Revelation to Attack Reduces

Mitigation programs can help organizations strengthen their position against internal threats by providing early detection of threats and a quick response. But the study points out threats are not limited to information security, and, by looking at insider-threat mitigation broadly, C-level executives can help reduce the level of risk to their organization.

There are several actions companies can take when designing, creating and deploying a formal insider-threat mitigation program:
• Organizations need to define potential insider threats. These can be employees, contractors or vendors that commit malicious or unintentional acts using their trusted and verified access to systems.
• Few organizations have a specific working definition of such threat sources, partially because security budgets have historically focused on external threats. Defining potential insider threats is a critical first step to creating a program.
• Enterprises also need to define their “risk appetite,” and identify the critical assets that need to be protected. What is the organization’s tolerance for the loss of or damage to those assets?
• Companies should identify key threats and vulnerabilities within the business and its processes. The development of the program can then be shaped to address these specific needs and types of threats, as well as taking into account the organization’s culture.

The insider threat mitigation program should have a champion, a broad group of stakeholders and support from executive leadership. Companies should consider forming a cross-functional working group that ensures the proper level of buy-in across departments and stakeholders. This group should help address common concerns and should support the creation of messaging to the entire organization.

The program should not rely solely on technical solutions. It should also include critical business processes, such as segregation of duties for various functions, nontechnical controls, organizational change management components and security training programs.

Organizations should also establish routine and random reviews of privileged functions, which are commonly performed to identify insider threats across a range of areas. They should trust their employees, but balance that trust with verification to avoid providing unlimited access and single points of failure.

Organizations also need to “stay a step ahead.” Insiders’ methods, tactics and attempts to cover their tracks constantly evolve, which means the insider-threat program should continually evolve as well.

Thursday, August 7, 2014 @ 05:08 PM gHale

By Gregory Hale
Government sponsored malware attacks, once thought of a science fiction, are real and they are hitting industries, like the manufacturing industry, across the world.

Unlike the nuclear arms race, the cyber arms race has a bunch of governmental contestants, but no one really knows their strengths.

Black Hat: ICS Vendors Need to Test for Security
Black Hat: A Security Plan
Talk to Me: Elevating Security Awareness
IoT Devices Vulnerable to Attacks: Report

“Cyber warfare is not detectable, unlike nuclear warfare, which is. If you look at the changes in the threat landscape, the cyber arms race does not allow for (who has what technology), said Mikko Hyppönen, chief research officer for F-Secure during his talk Wednesday at Black Hat USA 2014 in Las Vegas. “Yes, the U.S. has capabilities, but what about the other countries? Government actively using malware is only about 10 years old. If you talked about that back then, it would sound like science fiction, but it is true.”

Hyppönen went into bit of a history lesson on government sponsored malware attacks, but he also talked about what some of the advantages governments get out of using malware.

Some of those benefits:
• Law enforcement
• Espionage
• Surveillance
• Sabotage
• Warfare

Russians ended up linked to some big malware attacks like CosmicDuke and Havex, Hyppönen said. Havex is interesting because it appears to be doing reconnaissance work in the industrial control industry.

“Havex is scanning ICS gear,” he said. “It doesn’t do anything, so we don’t actually know what it is doing. We think it could be fingerprinting; it is unclear, but it is interesting.”

What is also interesting, Hyppönen said, is its method of distribution. “To distribute the malware, they hacked four ICS vendors and infected them.” So, when their customers downloaded software from the vendors, they were then infected.

When you talk about government sponsored malware, one of the first major attacks was Stuxnet, which ISSSource reported was a joint project between the U.S. and Israel to damage Iran’s nuclear program by bringing down centrifuges at Iran’s Natanz facility.

Now the Stuxnet code is out and available on various web sites, you would think there would be more attacks.

“We expected more copy cats of Stuxnet, but we haven’t seen it yet, Hyppönen said. “We are surprised and that is good news.”

One of the more amusing fallouts from Stuxnet came a couple of years after when Hyppönen received an email out of the blue from a worker at the Iranian Atomic program, but not at Natanz. The email said: “There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was the American band acdc thunderstruck. It was all very strange and happened very quickly. the attackers also managed to gain root access to the machine they entered from and removed all the logs.”

Click here to review the slides from Hyppönen’s presentation.

While Hyppönen said he was unable to confirm the note, he said that is one of the things governments try to do and that is have victim country’s leaders lose faith in their engineers. They want to raise doubts. Once there is a lack of confidence, that hurts the country.

“When I joined this company in 1991, Hyppönen said, “I didn’t expect it to come to this, but that is what has happened.”

Thursday, September 19, 2013 @ 05:09 PM gHale

After reports of hacking attempts, Brazilian oil giant Petrobras wants to keep itself on the winning security edge by increasing its spending on its IT infrastructure this year and for the following four years at least.

Maria das Graças Silva Foster, president of Petrobras, said at a public hearing in the Brazilian Senate the company will invest $1.8 billion (R$4 billion) in 2013 and $9.6 billion (R$21.2 billion) between 2013-2017 on information technology and telecommunications.

Black Hat: NSA Know the Facts
NIST Grants to Improve Security, Privacy
FBI: Public, Private Support can Defeat Threat
Private, Public Sector Share Data

“This is a policy that is so important it has been personally approved by the board of directors,” said Graças Foster. “The management of our goods, people, information and the wealth we create is of crucial importance.”

During the joint hearing with the Parliamentary Commission for the Espionage Inquiry and the Economic Affairs and Foreign Relations committees in the Senate, she said the company constantly monitors and protects its information. One case in point she cited the quantity of emails that end up preemptively blocked.

“Between August 09 and September 09 we received 195.9 million emails,” she said. “Of these, 16.5 million arrived at their destination.”

Regarding press reports the U.S.’ National Security Agency (NSA) targeted Petrobras through espionage, the president said no violation of Petrobras systems had been recorded, but the presence of the company’s name in reports has created “discomfort.”

“Systems used by Petrobras are among the most advanced on the market,” she said, emphasizing “investment in information security should be set to follow technological developments.”

Graça Foster said Petrobras has an integrated data processing center, which has restricted access, and the company’s strategic information does not go through the Internet.

“The company’s knowledge is held at the data processing center. Critical information is stored in an encrypted closed system. Access to the center is controlled with biometrics, weighing and monitoring with cameras” she said. Despite working with partner companies and suppliers, only Petrobras holds all the information, only allowing the company to read them, she said. Additionally, Petrobras has contracts that provide for confidentiality.

Strict security procedures included requiring scientists and functionaries to avoid transferring the most critical data, such as seismic studies of the company’s oil reserves, through the Internet.

Friday, February 22, 2013 @ 03:02 PM gHale

Even in today’s heightened digitally aware environment, companies remain unprepared to protect themselves against an emerging, relentless cyber security danger that threatens national security and economic stability, a new survey said.

Advanced persistent threats (APTs) are not easy to eliminate, which makes them different from traditional threats, according to global IT association ISACA. But an ISACA survey of more than 1,500 security professionals found 53 percent of respondents do not believe APTs differ from traditional threats.

‘Trust’ Risk Losses Soaring
Attacks Spreading to Other Industries
More Effective DDoS Attacks on Rise
DDoS Attacks Steady; Others on Rise

This disconnect indicates IT professionals and their organizations may not be fully prepared to protect themselves against APTs, ISACA said.

“APTs are sophisticated, stealthy, and unrelenting,” ISACA International Vice President Christos Dimitriadis said. “Traditional cyber threats often move right on if they cannot penetrate their initial target. But an APT will continually attempt to penetrate the desired target until it meets its objective — and once it does, it can disguise itself and morph when needed, making it difficult to identify or stop.”

High-profile examples of APTs include the Google Aurora attack, disclosed in January 2010, and an attack on security, compliance, and risk management provider RSA in 2011. Although APTs are espionage tactics that often look to steal intellectual property, the Google Aurora and RSA attacks show these threats are not just facing government entities, the report said.

Although more than 70 percent of IT professionals surveyed said their organizations are able to detect APT attacks, and more than 70 percent said they are able to respond to APT attacks, their description of controls indicate a misunderstanding and lack of preparation, according to ISACA. Top controls enterprises use to stop APTs were anti-virus and anti-malware programs (95 percent), and network perimeter strategies such as firewalls (93 percent).

The difference is APTs can get around these types of defenses. “APTs call for many defensive approaches,” said ISACA Director Jo Stewart-Rattray.

APT hackers do use social media to learn information about employees of organizations. Then they send “spear phishing” emails that appear legitimate. Ninety percent of respondents in the ISACA survey said the use of social networking sites increases the likelihood of a successful APT attack.

While 22 percent of respondents said they suffered an APT attack, 63 percent said it is only a matter of time before their enterprise ends up targeted by an APT.

“We are only in February, and already we can declare 2013 as the year of the hack,” Tom Kellermann, vice president of cyber security for Trend Micro said in the news release. “… Enterprises are under attack, and they don’t even know it.”

Click here to register to download the report.

Thursday, July 26, 2012 @ 08:07 PM gHale

By Gregory Hale
It takes a strong-willed security team and a strong management team to let a persistent attacker stay on your network so you can learn more about what he is up to.

But that is exactly what Jim Aldridge was saying during his talk Wednesday entitled, “Targeted Intrusion Remediation: Lessons from the Front Line” at Black Hat USA 2012

Black Hat: Govt. Unplugged
Black Hat: Smart Meters Insecure
Black Hat: Sub-GHz Wireless Within Reach
Black Hat: Air Gap Myth Buster
Black Hat: New Security Paradigm

“Not all targeted threats are persistent threats, but persistent threats are usually spies or espionage,” Aldridge said. These attacks come from humans using technology, but they have a plan of attack and they want to stay on the system as long as possible to get as much information on the product lifecycle as possible.

“These are targeted threats. They do this for a living; these are adversaries that will take the time to do reconnaissance on your organization,” he said.

“A persistent means the adversary will stay in the environment for a long time. They want to know the lifecycle of what they are stealing,” Aldridge said.

The hackers are smart, once they get into a system, they go out and find other systems to infect and they will add in a few backdoors as an insurance policy to ensure they can stay in the system to understand every nuance of the product they are spying on.

Aldridge listed eight parts of the attack lifecycle:
• Reconnaissance
• Compromise
• Establish a foothold
• Escalate privileges
• Internal reconnaissance
• Move laterally
• Maintain presence
• Complete mission

It used to be once you found a threat on your system, you just pulled it offline. “But often attackers will move laterally and infect other machines. You clean one machine and others get filled up,” Aldridge said. That is why it is wise to keep the attackers on the system until you can determine the entire attack vector and what the attacker is looking for, he said.

Aldridge then went through a simple attack scenario where the use of a spear phishing campaign got the attacker into a targeted victim’s system. “Within a couple of days, the hacker probably got in and you didn’t even know about it,” he said.

Once they are in, then the security professionals’ job is to make the attackers job much harder.

“You want to make their job more difficult. You want to stop them from getting around, but you have to understand you were targeted for a reason,” he said.

He said companies need to work out a solid plan to secure you environment because attacks happen and they will continue to happen.

“There will be a next time,” Aldridge said.

Tuesday, July 3, 2012 @ 03:07 PM gHale

U.S. companies lost $13 billion through economic espionage in the current fiscal year, the FBI said.

Not only that, but as the FBI’s economic espionage caseload grows, so is the percentage of cases attributed to an insider threat, meaning that, individuals currently (or formerly) trusted as employees and contractors are a growing part of the problem. Those were the observations made by the FBI to a House Committee on Homeland Security, Subcommittee on Counterterrorism and Intelligence hearing.

Lulzsec Members Plead Guilty
Indicted: Access to Supercomputers
British Hackers Face Jail Time
Jail Time for Ex-Intel Worker

FBI Assistant Director, Counterintelligence Division Frank Figliuzzi discussed a February 2012 indictment, where several former employees with more than 70 combined years of service to the company were convinced to sell trade secrets to a competitor in the People’s Republic of China (PRC).

“Entities owned by the PRC government sought information on the production of titanium dioxide, a white pigment used to color paper, plastics, and paint. The PRC government tried for years to compete with DuPont Corporation, which holds the largest share of a $12 billion annual market in titanium dioxide. Five individuals and five companies were commissioned by these PRC state-owned enterprises collaborate in an effort to take DuPont’s technology to the PRC and build competing titanium dioxide plants, which would undercut DuPont revenues and business. Thus far, three co-conspirators have been arrested and one additional co-conspirator has pled guilty in federal court. This case is one of the largest economic espionage cases in FBI history,” Figliuzzi said.

“The theft of U.S. proprietary technology, including controlled dual-use technology and military grade equipment, from unwitting U.S. companies is one of the most dangerous threats to national security,” said John Woods, assistant director of national security investigations at U.S. Immigration and Customs Enforcement.

The insider threat is not new, but it’s becoming more prevalent for a host of reasons, Figliuzzi said, including:
• Employee financial hardships during economic difficulties;
• Global economic crisis facing foreign nations, making it even more attractive, cost-effective, and worth the risk to steal technology rather than invest in research and development;
• Ease of stealing anything stored electronically, especially when one has legitimate access to it; and
• Increasing exposure to foreign intelligence services presented by the reality of global business, joint ventures, and the growing international footprint of American firms.

Figliuzzi said another grave threat to national security is the illegal transfer of U.S. technology.

“The FBI is seeing an expansion of weapons proliferation cases involving U.S. acquired components. These are components exported from American companies, initially headed to someplace they’re allowed to be, but ultimately destined for someplace they should never be,” he said.

The FBI’s Counterproliferation Center (CPC), which identifies and disrupts networks of weapons of mass destruction (WMD) activity, is responsible for pursuing cases of illegal technology transfer, whether the technology is for WMDs or other uses. The CPC has tripled its disruptions of illegal transfers of technology since FY 2011.

“We have made more than a dozen arrests since the CPC’s inception in July 2011, including the arrests of multiple subjects on the Central Intelligence Agency’s Top Ten Proliferators List,” Figliuzzi said.

The magnitude of the threat ends up compounded by the ever-increasing sophistication of cyber-attack techniques, such as attacks that may combine multiple techniques. Using these techniques, cyber thieves may target individuals and businesses, resulting in, among other things, loss of sensitive personal or proprietary information.

“These concerns are highlighted by reports of cyber incidents that have had serious effects on consumers and businesses,” said Gregory Wilshusen, director, Information Security Issues for the Government Accountability Office. “These include the compromise of individuals’ sensitive personal data such as credit- and debit-card information and the theft of businesses’ IP and other proprietary information. While difficult to quantify monetarily, the loss of such information can result in identity theft; lower-quality counterfeit goods; lost sales or brand value to businesses; and lower overall economic growth and declining international trade,” he said.

Friday, June 15, 2012 @ 03:06 PM gHale

There is a shortage of talented computer security experts in the United States, making it difficult to protect corporate and government networks at a time when attacks are on the rise.

That is what Symantec Corp. Chief Executive Enrique Salem said Reuters Media and Technology Summit in New York. In an effort to boost the talent pool, Salem’s company is working with the U.S. military, other government agencies and universities to help develop new programs to train security professionals.

Cyber Ops Jobs Available
FBI Head Frets over Cyber Threats
Execs Unaware of Security Risks
Security to Industry: Time to Wake Up

“We don’t have enough security professionals and that’s a big issue. What I would tell you is it’s going to be a bigger issue from a national security perspective than people realize,” he said.

Jeff Moss, a hacking expert who sits on the U.S. Department of Homeland Security Advisory Council, said it was difficult to persuade talented people with technical skills to enter the field because it can be a thankless task.

“If you really look at security, it’s like trying to prove a negative. If you do security well, nobody comes and says ‘good job.’ You only get called when things go wrong.”

The warnings come at a time when the security industry is under fire for failing to detect increasingly sophisticated pieces of malicious software designed for financial fraud and espionage and failing to prevent the theft of valuable data.

Moss, who goes by the hacker name “Dark Tangent,” said he sees no end to the labor shortage.

“None of the projections look positive,” said Moss, who serves as chief security officer for ICANN, a group that helps run some of the Internet’s infrastructure. “The numbers I’ve seen look like shortages in the 20,000s to 40,000s for years to come.”

In order to boost the workforce, the National Security Agency is setting up a new cyber-ops program at select universities to expand U.S. cyber expertise needed for secret intelligence operations against computer networks of adversaries. The cyber-ops curriculum should provide the basic education for jobs in intelligence, military and law enforcement.

U.S. defense contractor Northrop Grumman Corp Monday launched the first undergraduate honors program in cyber security with the University of Maryland to help train more workers for the burgeoning field.

Moss, who founded the Defcon and Black Hat hacking conferences held in Las Vegas each summer, said that U.S. government agencies are so desperate to fill positions that they are poaching security experts from private firms.

Wednesday, June 6, 2012 @ 03:06 PM gHale

Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
The discovery of the Flame malware last week focused the cyber security world on the sophisticated strikes targeting energy companies in the Middle East.

Although Flame’s goal was espionage rather than damaging operations as Stuxnet did, it has been seen as one more indication that the industrial world is now in the bull’s eye of clever attackers.

Breaking Down Flame’s Roots
Fake Certificates Spread Flame
How to Check for Flame
Flame and SCADA Security
Flame: ‘More Powerful than Stuxnet’
Stuxnet Loaded by Iran Double Agents

On the heels of Flame coverage, David Sanger, the Pulitzer Prize winning Washington correspondent for The New York Times, released his new book “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power.” Up to now, many writers speculated the U.S. and Israel collaborated on Stuxnet. This book does not speculate; it builds a strong circumstantial case these two countries did indeed create and launch Stuxnet against Iran.

While the book does not include named sources or other hard evidence, the information is very plausible. A number of the technical subtleties of Stuxnet are described with unusual accuracy.

Undoubtedly, there will be mistakes in a book like this, but the core message seems very plausible – the U.S. and Israel did launch Stuxnet against Iran’s nuclear program.

Up until now Iran couldn’t be sure who created Stuxnet, so it might have held back from launching a counter attack.

Now, true or not, both the book and The New York Times story based on it, have made it difficult for the U.S. Administration to deny it was behind the Stuxnet attacks. So far the U.S. Administration has remained silent.

This means that the gloves are off. Cyber warfare has moved from “you don’t ask and we don’t tell” to open aggression between countries.

A 2011 Wall Street Journal article stated: “The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.”

Does this now give Iran the right to respond with a military option?

At the just concluded ISS Asia Security Summit, the UK Minister of State for the Armed Forces, Nick Harvey, said: “Pre-emptive cyber strikes against perceived national security threats are a “civilized option” to neutralize potential attacks.”

At the same conference, Malaysian Defense Minister Ahmad Zahid Hamidi said a cyber arms race was already under way: “What remains disturbing is that cyber warfare need not to be waged by state-run organizations but could be conducted by non-state entities or even individuals with intent to cause disruptions to the affairs of the state.”

The likely targets of cyber attacks aimed at nation states are energy, water and transportation systems. If your facility is in these sectors, you now have more urgency than ever to make sure that your facility is following robust cyber security practices.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.

Wednesday, March 28, 2012 @ 09:03 AM gHale

After trying to sell space and defense secrets to Israel, a former government space scientist got 13 years in prison.

Appearing in federal court in a prison jumpsuit, Stewart Nozette said he is “paying for a fatal lack of judgment. I accept full responsibility,” Nozette told U.S. District Judge Paul Friedman.

Accused Hacker’s Day Job: IT Security
Case History: Hunting a Hacker
Guilty: Russian Admits Cyber Fraud
Nabbed: Cops Catch Serial Hacker

Prosecutors and Nozette’s lawyers agreed to the 13-year sentence, with credit for the two years Nozette has spent behind bars since his arrest.

Nozette had high-level security clearances during decades of government work on science and space projects at NASA, the Energy Department and the National Space Council in President George H.W. Bush’s administration.

Nozette pleaded guilty to one count of attempted espionage, admitting he tried to provide Israel with top secret information about satellites, early warning systems, methods for retaliating against large-scale attack, communications intelligence information and major elements of defense strategy.

In court, prosecutors played a videotape of Nozette telling an FBI undercover agent posing as an Israeli spy that “I’ve sort of crossed the Rubicon,” or passed a point of no return. On the video, Nozette said he would charge Israel “at most 1 percent” for passing information about an unspecified program that Nozette said cost the U.S. government $200 million.

Nozette, 54, was a “traitor” who engaged in attempted espionage with “unbridled enthusiasm,” Assistant U.S. Attorney Anthony Asuncion told the judge.

At the time of Nozette’s arrest for attempted espionage in 2009, he was awaiting sentencing on fraud and tax evasion charges.

On Wednesday, the judge sentenced him to 37 months on those charges, to run concurrently with the sentence in the espionage case.

Nozette was primarily a defense technologist who had worked on the Reagan-era missile defense shield effort, nicknamed “Star Wars” and formally called the Strategic Defense Initiative.

As a leading scientist at the Lawrence Livermore National Laboratory in the 1990s, Nozette came up with the concept behind the Clementine space mission, which ultimately discovered ice on the moon, according to the sentencing memo in the espionage case by Nozette’s legal team.

One of Nozette’s lawyers, Bradford Berenson, called the espionage case “vindictive” and an illustration of “overreaching government conduct” at a time when Nozette was already enmeshed in the tax and fraud case.

The government suspected Nozette might be interested in spying after a search of his Chevy Chase, Md., home in February 2007 in the tax and fraud probe.

Nozette ran a nonprofit corporation called the Alliance for Competitive Technology that had several agreements to develop advanced technology for the U.S. government. But he was overstating his costs for reimbursement and failing to report the income on his tax returns. Berenson called that case “relatively minor” and a violation that “a lot of small businesses engage in.”

The search of his home turned up classified documents, though Nozette’s lawyers said in his defense Wednesday they were not marked “classified.” Nozette was not at the level where he could have unsecured classified documents in his home.

Agents also discovered Nozette sent an email in 2002 threatening to sell information about a classified program he was working on to Israel or another country. The FBI decided to conduct an undercover operation to see how serious he was.

The attempted selling of secrets “never would have happened but for the tax and fraud case,” Berenson said.

“This was functional entrapment,” said Berenson. Entrapment is a defense to criminal charges when the agent originates the idea of the crime and induces the accused to engage in it.

Nozette also must pay $217,800 in restitution for fraudulent claims he made to the U.S. Naval Research Laboratory in Washington, D.C., the Defense Advanced Research Projects Agency in Arlington, VA, and NASA’s Goddard Space Flight Center in Greenbelt, MD.

Wednesday, March 14, 2012 @ 05:03 PM gHale

Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.

By Eric Byres
Recent well-designed ICS worms and cyber attacks such as Night Dragon, Duqu and Nitro have been revealed. Each of them has focused on stealing intellectual property such as oil field bids, SCADA operations data, design documents and other information that could cause business harm. This focus on industrial data compromise is new, and signals a new era of industrial malware.

When most people consider the motivation of worm creators and hackers, they think of the destructive focus of early cyber events like the Slammer worm or Mafia-Boy attacks. Nitro and Duqu show a different focus – subtle and persistent attempts to steal valuable information. This information could then be used to make a competitive or counterfeit product, out-bid a rival for an oil or mineral exploration lease, or coordinate a marketing campaign against a competitor’s new product.

Justifying Security Investment
Defense in Depth: No Singular Approach
Time for a Revolution
Users Need to Push Security

Theft of process information for commercial espionage is nothing new. It has been around long before networks and cyber security showed up. Today, the profit potential for IP theft can be enormous. One consumer products company estimates that IP theft from its operations results in a nearly a billion dollars of counterfeit product produced and sold every year. This is money the company will never see.

These worms could also be precursors to later destructive attacks against automation systems. Clearly the Stuxnet designers collected detailed process information on their victim prior to actually creating their worm. Could the Duqu worm be a forerunner to a more destructive attack? Symantec certainly thinks so.

It is worth noting that the goal of Stuxnet was to impact production (of enriched uranium) rather than cause an explosion and kill people. So it is possible that the goal of this next generation of malware is to quietly stop production at a plant or utility somewhere in the world. Impacting the production of a competitor, short selling the shares of a company or extorting money under the threat of a disruption are all profitable activities for a criminal or nation-state group.

Security experts suggest the only solution is to go back to the days of completely isolated automation systems. Unfortunately, walling off a control system just isn’t feasible today. Modern industry and the technologies it depends on need a steady diet of electronic information from the outside world to operate. Cut off one source of data into the plant floor and another (potentially riskier) “sneaker-net” source replaces it.

Now industry and government can try to battle this trend by banning technologies and mandating complex and onerous procedures. We see this sort of strategy every time we try to board a plane and wait in long lines to take our shoes off and get our hair shampoo confiscated. Frankly, I don’t think it is effective or efficient security for air travel. It is even worse for companies that ultimately need to be profitable if they are going to stay in business.

Is the situation hopeless? No, but ICS/SCADA security practices must improve significantly. First, the industry needs to accept the idea that complete prevention of control system infection is probably impossible. Determined worm developers have so many pathways available to them that over the life of a system some assets will suffer compromise. The owners and operators need to adjust their security programs accordingly. In particular, security programs need to:

• Consider all possible infection pathways and have strategies for mitigating those pathways, rather than focusing on a single pathway such as USB keys
• Recognize no protective security posture is perfect, and take steps to aggressively segment control networks to limit the consequences of compromise
• Install ICS-appropriate intrusion detection technologies to detect attacks and raise an alarm when equipment suffers compromise or is at risk of compromise
• Look beyond traditional network layer firewalls, toward firewalls capable of deep packet inspection of key SCADA and ICS protocols
• Focus on securing last-line-of-defense critical systems, particularly safety integrated systems (SIS)
• Include security assessments and testing as part of the system development and periodic maintenance processes. Identify and correct potential vulnerabilities, thereby decreasing the likelihood of a successful attack
• Demand secure control products from automation systems vendors
• Work to improve the culture of industrial security amongst management and technical teams.

Implementing these changes will improve the “defense in depth” posture for all industrial control systems. They are needed urgently. If not, your operation might show up on TV, as the lead story in the news about a successful cyber attack.

Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.

Archived Entries