Posts Tagged ‘Night Dragon’
Thursday, March 14, 2013 @ 05:03 AM gHale
By Gregory Hale
Patching is often ineffective in providing protection from the multitude of vulnerability disclosures and malware targeting critical infrastructure systems today, new research shows.
While patching such systems is important as part of an overall defense in depth strategy, the difficulties of patching for industrial systems mean that compensating controls are often a better method of providing immediate protection, according to research from Tofino Security.
RELATED STORIES
Downtime: Utility Suffers Virus
Antivirus Not Catching New Viruses
Symantec Antivirus Bug
Sophos Fixes Critical Security Hole
Since the discovery of the Stuxnet malware in 2010, industrial infrastructure has become a key target for security researchers, hackers, and government agents. Designed years ago with a focus on reliability and safety, rather than security, Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) are often easy to exploit.
As a result, there has been exponential growth in government security alerts for these systems in the past two years. In addition, they have attracted some of the most sophisticated (Stuxnet, Night Dragon, Flame) and damaging (Shamoon) cyber attacks on record.
The report, conducted by Eric Byres, CTO and vice president of engineering at Tofino Security, found:
• The number of vulnerabilities existing in SCADA/ICS applications is high, with as many as 1,805 vulnerabilities not yet found existing on some control system computers. After analyzing the amount of software on the average control PC in a refinery and then using a metric called Defect Density to calculate the number of expected vulnerabilities, the research showed this one refinery had 1,805 possible vulnerabilities for the average PC.
• The frequency of patching needed to address future SCADA/ICS vulnerabilities in controllers and computers likely exceeds the tolerance of most SCADA/ICS operators for system shutdowns. Unlike IT systems, most industrial processes operate 24×7 and demand high uptime. Weekly shutdowns for patching are unacceptable.
• Even when a user can install patches, they can be a problem. There is a 1 in 12 chance any patch will affect the safety or reliability of a control system, and there is a 60 percent failure rate in patches fixing the reported vulnerability in control system products. In addition, patches often require staff with special skills. In many cases, such experts often do not have proper certification for access to safety regulated industrial sites.
• Patches are available for less than 50 percent of publicly disclosed vulnerabilities.
• Critical infrastructure operators are reluctant to patch as it may degrade service and increase downtime.
When patching is not possible, or while waiting for a semi-annual or annual shutdown to install patches, an alternative is to deploy a workaround, also known as a “compensating control.” Compensating controls do not correct the underlying vulnerability; instead, they help block known attack vectors. Examples of compensating controls include product reconfigurations, applying suggested firewall rules, or installing signatures that recognize and block malware.
Another compensating control is rule and protocol definitions that address newly disclosed vulnerabilities. They provide a way for automation system vendors to create and securely distribute malware protection. Operators benefit from a package of tailored rules they can install without impacting operations. The result is critical industrial infrastructure facilities can quickly and effectively defend themselves against new threats.
“My research highlights the multiple challenges with patching for SCADA and ICS systems,” Byres said. “To secure facilities, critical infrastructure operators should pursue a defense in depth strategy that includes patching when possible, and use compensating controls for protection when patching is not possible.”
Click here for more information on ICS and SCADA patching from Eric Byres.
Wednesday, August 29, 2012 @ 08:08 PM gHale
By Richard Sale
One year after U.S. cyber investigators uncovered a five-year-old Chinese hacking venture called Shady RAT that looted “trillions of dollars worth of intellectual and corporate data from U.S. companies,” the response of the corporations to the threat is still loosely coordinated and ineffective, former U.S. intelligence officials said.
“Companies think first of their shareholders or shielding their name, not safety,” one official said. “They have a phobia about publicity.”
RELATED STORIES
Saudi Aramco Back Up after Attack
Finding a RAT behind Cyber Attacks
‘Night Dragon’ Follow: Six Oil Firms Hacked
Sites Change Tactics after Attack
One Attack Starts at Web Site
“This is a very sensitive matter which companies find it hard to talk about or address,” another official said. “They feel that the government should be protecting them when, in fact, they should be protecting themselves.”
Whether this means companies are ignoring the attacks or they are quietly hiking their security posture remains unclear, the result is in most cases, it has been ineffective, sources said, and yet more companies, like oil giant Saudi Aramco, are suffering from major targeted attacks.
Even the U.S. patent offices “are a very attractive target for espionage,” said James Lewis, a cyber expert at CSIA in Washington. “For hackers, its one-stop shopping. Why waste time when you can you can go to the source and get the finished product.”
Shady Rat is no different than other attempts by China to evade security and loot the property of U.S. corporations and federal agencies. They have been looting U.S. banks of hundreds of millions of dollars a year, said Lewis. Only one bank, Citi group went public with their losses.
In a 14-page report issued last year, the security firm, McAfee listed “72 companies in 14 countries it claimed have been the victim for more than five years of cyber attacks siphoning intellectual property – including government data, business dealings and corporate research.”
Victims included government bodies in the United States, Taiwan, South Korea, Vietnam and Canada, said Dmitri Alperovitch, vice president of threat research at McAfee. Fifty of the victims included “corporations government agencies (particularly defense contractors) and nonprofits based in the United States. Other sites infiltrated included the United Nations and Associated Press.”
U.S. patent offices “are a very attractive target for espionage. For hackers, its one-stop shopping. Why waste time when you can you can go to the source and get the finished product.”
– James Lewis, CSIA cyber expert
One U.S. intelligence official said that malware has been removed from most sites, but said the case is still “on-going.” The weapon used by attackers was the common email.
In the case of the United Nations, the hackers broke into the computer system of its secretariat in Geneva in 2008, hid there for nearly two years, and combed through reams of secret data, McAfee said.
“Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” Alperovitch said in the report.
“What is happening to all this data … is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”
McAfee learned of the extent of the hacking campaign in March 2011, when researchers discovered logs of the attacks while reviewing the contents of a “command and control” server they discovered in 2009 as part of an investigation into security breaches at defense companies.
It called the attacks “Operation Shady RAT” and said the earliest breaches date back to mid-2006, though there might have been other intrusions. (RAT stands for “remote access tool,” a type of software that hackers and security experts use to access computer networks from afar).
Some of the attacks lasted just a month, but the longest — on the Olympic Committee of an unidentified Asian nation — went on and off for 28 months, McAfee said.
In February 2011, McAfee warned hackers working in China broke into the computer systems of multinational oil and natural gas companies to steal bidding plans and other critical proprietary information. Exxon Mobil, Royal Dutch Shell, BP, Marathon Oil, ConocoPhillips and Baker Hughes were the six companies targeted in the attack.
“Night Dragon” attacks relied on a combination of spear-phishing, social engineering, Windows bugs and RATs to guarantee success. The catch is none of the tactics were particularly sophisticated, said McAfee, which uncovered the assault emanating from China and consisting of covert attacks targeting oil, energy and petrochemical companies as far back as November 2009.
“(The attacks) were very successful,” Alperovitch said. The information the hackers obtained had huge value to competitors.
That information included financial documents related to oil and gas field exploration and bid negotiations, as well as operational details on oil and gas field production supervisory control and data acquisition (SCADA) systems. That attack showed security needs to be strong from the field all the way through the enterprise. You never know where the attack could occur.
Friday, July 13, 2012 @ 09:07 AM gHale
By Nicholas Sheble
“APTs (advanced persistent threats) are not a ‘what,’ but a ‘who,’” said Daniel Teal the chief technology officer at CoreTrace. It’s particular people who are after you, your products, or what you know, your information.”
“They have resources, expertise, and the time to get you.” APTs have delivered the famous cyber attacks that are familiar in the mainstream like Stuxnet, Aurora, Night Dragon, and others.
RELATED STORIES
APT: Attackers get What They Want
Focused Effort: Securing Against APTs
Securing SCADA Systems from APTs
Stuxnet Warfare: The Gloves are Off
Breaking Down Flame’s Roots
An advanced persistent threat (APT) is a cyber threat or cyber attack where the hacker has the ability to evade detection and the capability to gain and maintain access to well-protected networks and the sensitive information in them.
The hacker is adaptive and well resourced. The persistent nature of the threat makes it difficult to prevent access to one’s computer network and, once the threat actor has successfully gained access to one’s network, very difficult to remove.
The hacker has not only the intent but also the capability to gain access to sensitive information stored electronically. ISSSource has reported before on APTs and the website contains an informative white paper on them.
Beyond discussing the objectives of APTs, Teal spoke Thursday during a company webinar entitled “Combating Advanced Persistent Threats: The Case for Application Whitelisting-based Solutions,” about potential targets, what the primary weapons include (like memory attacks), and the best solutions to stave off such attacks.
One of those methods includes a compelling case for application whitelisting-based advanced threat protection platforms.
Application whitelisting is a concept whereby only authorized applications can run on the network and its nodes. So rather than searching out malware using antivirus software, the system blocks everything — except those functions that the user designates to run.
The anti-malware applications of this technique suppose that malware never gets on the whitelist. As long as the whitelist remains malware-free then malware cannot run. Teal said whitelisting can stop all APTs.
Nicholas Sheble (nsheble@isssource.com) is an engineering writer and technical editor in Raleigh, NC.
Securing Real-Time Drilling Data
By Gregory Hale
There is no better term around today that sums up the requirements for oil and gas
Read More.
Tuesday, June 19, 2012 @ 06:06 PM gHale
Editor’s Note: This is Part I of an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
A very complex worm called Flame has been discovered attacking companies in the Middle East, and it is an excellent example of what security experts call an Advanced Persistent Threat (APT). Figuring out how to defend against APTs is a major focus in the IT security world.
Now while Flame was busy attacking the Middle East, I was in Abu Dhabi at the International Cyber Security Forum for Energy and Utilities, listening to a talk by Paul Dorey called “Advanced Persistent Threats – A Real Problem with Real Solutions.” Paul’s talk focused on security for the IT industry, but there were important lessons on managing attacks in the ICS/SCADA world.
RELATED STORIES
Stuxnet Warfare: The Gloves are Off
Breaking Down Flame’s Roots
Fake Certificates Spread Flame
How to Check for Flame
Flame and SCADA Security
First, a little background. APTs are carefully crafted attacks against a focused target designed to be effective over an extended period of time. Ricard Bejtlich in his TaoSecurity Blog says it well:
• Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture.
• Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
• Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term “threat” with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn’t degrade or deny data).
Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.
Now some people claim that APTs are just marketing hype, but Paul offered some chilling case studies showing that APTs are very real threats. Flame is also good example of an APT, but so are Stuxnet, Nitro, Night Dragon and Duqu. These are all attacks discussed in previous papers and blogs. Trying to wish away APTs as hype is a clear case of sticking one’s head in the sand.
Paul went on to discuss the seven advanced approaches that the best companies are using to deal with APTs. This column will discuss the first approach.
Advanced Approach #1 is to focus your protection efforts on your most important assets. It would be ideal to protect everything perfectly and do it all the time. Unfortunately modern systems, whether they are IT systems or control systems, have become too complex to achieve perfect and uniform security.
So the smart IT teams are focusing their scarce security resources on securing those assets that really matter to the survival of the company. They do not rely solely on a perimeter firewall to keep all the bad stuff out of the company (a technique known as a Bastion Model, which bases a security design on hiding behind a single monolithic solution which could result in the possibility of a single point of failure). Instead, they install additional layered defenses directly protecting key assets such as servers containing sensitive financial or intellectual property information.
There are good reasons for using this approach. The obvious one is that it allows a defense in depth strategy, rather than a bastion strategy. It also allows the company to focus additional money, effort and diligence on a few core assets. For example, it is a lot easier to carefully review the audit logs for two servers every day, rather than two hundred servers. Tasks that are highly focused are more likely to be carried out by over worked security staff.
The third reason is that these assets are the same ones the bad guys will focus on. Sure hackers and worms will go after any undefended computer, but in most cases these victims are just a stepping stone to the real target. Focusing your defensive efforts on the same things that your adversary is focusing on makes good security sense.
The strategy of focusing your defenses also works for ICS and SCADA security. Every control system has a few assets that would seriously impact production, safety or the environment if successfully attacked. These might be the safety integrated system (SIS) in a refinery, the PLC controlling chlorine levels in a water filtration plant, or the RTU in an electrical substation. Every control engineer knows what really matters to his or her particular operation. Aggressively protect this asset and the chance of a truly serious cyber incident is massively reduced.
Consider Stuxnet. Symantec reports the worm infected over 100,000 computers, 60% of these in Iran. But its ultimate target had to be the PLCs and drive controllers running the enrichment centrifuges. It wouldn’t have mattered if Stuxnet had infected one billion computers; if it could not get to the PLCs, it would have failed in its mission. Had Iran’s defense focused on protecting those PLCs, their enrichment process likely would never had been impacted. Clearly, they focused more on a bastion security model which ultimately failed them, allowing Stuxnet to impact at least 1000 centrifuges.
Don’t get me wrong, neither Paul nor myself are advocating to give up on defending less critical assets or the network in general. This makes no more sense than a knight giving up the field and hiding in his castle.
What is needed (and is missing) is a balanced approach to system security. As an industry, we focus on trying to defend the entire field and forget about the castle containing the royal family. As long as the battle remains in the open, we think we are doing well. But when Ninja assassins (with names like Nitro, Duqu and Flame) start to sneak in, defending every laptop and desktop won’t seem all that important once the grid is down or the plant is leaking toxic chemicals.
So install those firewalls and Intrusion Detection Systems between IT and ICS networks. Build yourself what NERC-CIP calls an Electronic Security Perimeter (ESP). There is nothing wrong with that as part of a security strategy. Just remember to balance it with a focused defense, protecting what really matters to your process or company. Forget to focus and we will win the battle, but lose the war.
Eric Byres is chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.
Wednesday, June 6, 2012 @ 05:06 PM gHale
By Gregory Hale
Critical infrastructure organizations should be on alert because they will be the target of a cyber attack before long.
Over exaggerated hyperbole from folks watching the cyber security environment? Hardly. Just cold hard facts.
If Flame taught the industry anything, it is professional hackers can get in and find out details and nuances of any system they want to. It seems Flame did just that, as Duqu did before that. What they are looking for and what they have in store for potential victims remains to be seen. But for now, operators of critical infrastructure should be on alert. Not only because of the possibility of being collateral damage in a cyber war incident, but also because, as Night Dragon showed, there are organizations, companies, and countries trying to get in and steal vital information.
RELATED STORIES
Stuxnet Warfare: The Gloves are Off
Flame: ‘20 Times Larger than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
Cyber Warning: Duqu’s Back
In the Night Dragon case, the attackers compromised perimeter security through SQL injection attacks on extranet web servers; targeted spear-phishing attacks aimed at mobile workers’ laptops, and took control of corporate VPN accounts. They were able to get in and find out financial documents related to oil and gas field exploration and bid negotiations, as well as operational details on oil and gas field production supervisory control and data acquisition (SCADA) systems.
Companies today need to protect against any possible attack vector from any source globally. Just take a look at Stuxnet.
As ISSSource reported last September, we know Stuxnet was the creation of a joint U.S., Israel project. What continues to astound is the thought other operators of critical energy sources, like electric, water, oil, coal, and nuclear among others are not moving faster to create a solid defense in depth posture to keep out the bad code that can lead to the destruction of a facility.
The idea originally espoused once we learned about the originators of the Stuxnet worm and the targeted victims was: “It was the good guys against the bad so we are not a target.” That mindset seems to be winning out throughout the manufacturing automation industry. Unfortunately, that is a very misguided thought process. Protection is paramount.
Stuxnet is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The code, which is currently out on the Internet, used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures.
The worm used at least four zero-day exploits and had Microsoft Windows driver modules signed using genuine cryptographic certificates stolen from respectable companies, contained about 4,000 functions, and utilized advanced anti-analysis techniques to render reverse engineering difficult.
As ISSSource’s Richard Sale reported back in October, Stuxnet had its true origin in the waning moments of George W. Bush’s presidency in 2009, said former senior intelligence officials, one of whom worked for the National Intelligence office.
At the time, President Bush wanted to sabotage the electrical and computer systems at Natanz, which is a fuel enrichment plant in Iran. After Bush left office, President Barack Obama accelerated the program, these sources said.
The groundwork for the plan began much earlier though. In 2007, Idaho National Laboratory (INL) inked a development contract with Siemens the purpose of which was to help Siemens study its own computer weaknesses, the sources said. Quite a few suppliers have these types of pacts with INL to test platforms to find and resolve weaknesses.
In 2008, shortly after Siemens brought in the system for analysis, the Department of Homeland Security got wind of it and teamed with INL to study Siemens PCS 7 or Step 7 platform which runs all sorts of sensors and machines in the process control system, the sources said.
As it turned out the system they were testing was also the same system running the nuclear enrichment plant in Natanz.
While the technical plan of creating the Stuxnet virus was ongoing, Israel was training operatives, or as it turned out double agents, to plant the worm using a corrupt “memory stick.32,” said former and serving U.S. intelligence officials.
These sources, who requested anonymity because of their close proximity to investigations, said a saboteur at the Natanz nuclear facility, probably a member of an Iranian dissident group, used a memory stick to infect the machines there. They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility.
“Iranian double agents would have helped to target the most vulnerable spots in the system,” one source said. In October 2010, Iran’s intelligence minister, Heydar Moslehi said an unspecified number of “nuclear spies” were arrested in connection with Stuxnet.33 virus.
These acts against Iran will not go unpunished. It only makes sense Iran will find a way to fight back in this new era of cyber warfare. But put that thought aside for a moment, code is out there that has proven it can get into systems and take them over. Stuxnet code is on the Net and there for the picking. A modified version or just a copy cat can end up sitting on a system of choice just lurking and waiting for a moment to pounce.
Stuxnet is scary code. The cold hard fact is more manufacturers need to focus on creating a defense in depth plan.
Gregory Hale is the founder and editor of ISSSource.com.
Oil & Gas Security: From Field to Boardroom
By Gregory Hale
You never know who is watching. Just ask the oil and gas company executives hit by
Read More.
Wednesday, April 4, 2012 @ 07:04 PM gHale
By Nicholas Sheble
A majority of the 300 million cyberattacks last year were of the online smash-and-grab variety: Get in, steal something valuable, get out.
Other grifters, however, know exactly what they want and there’s nothing random, haphazard, or hurried about their approach to getting it.
RELATED STORIES
Cyber Report: U.S. Knows Groups Behind Attacks
GOP Sen.’s Offer Own Security Bill
Cyber Security Bill Launches in Senate
Cyber Crime Grows More Complex
APTs – advanced persistent threats – are the hottest and most lethal of cyberattacks, and even the most sage security pros say they are almost impossible to prevent.
“There isn’t a corporation in the nation today that can’t be penetrated, not one,” Mike McConnell, former director of the National Security Agency, former U.S. Director of National Intelligence until 2009, and now vice chair at consulting firm Booz Allen Hamilton told The Wall Street Journal this week.
There are papers and treatises on APTs: What they are, who uses them, how to stop them, and the like. What precisely they are can vary, but one blog proposes this summary. It is reasonable and aligns with available resources and information.
• Advanced – Operators behind an APT have a full spectrum of intelligence-gathering techniques and capabilities. These may include computer intrusion technologies and techniques, conventional intelligence-gathering techniques such as telephone-interception technologies, and satellite imaging. While individual components of the attack are not necessarily sophisticated, as in malware components available via do-it-yourself malware construction kits, or the use of easily procured exploit materials, their operators can access and develop advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from less-advanced threats.
• Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies the attackers receive guidance from external entities. The targeting takes place via continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to the target, they usually will reattempt access, and most often, they are successful. One of the operator’s goals is to maintain long-term access to the target, in contrast to the cyber threats that only need access to execute a specific task.
• Threat – APTs are a threat because they have capability and intent. APT attacks come about as coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized, and well funded.
Only a small portion of cyberattacks are APTs.
“Last year there were 300 million cyberattacks,” Francis deSouza, group president of enterprise at security company Symantec Corp. told The Wall Street Journal. “Only a subset were advanced and targeted and persistent.”
The companies that APTs target usually have, or have access to, sensitive information, which is to say defense contractors and financial entities.
Groups associated with foreign governments often launch APTs. Whereas most cyberattacks aim to steal financial data, APTs typically target intellectual property.
Those incidents over the past few years that were likely to have been APTs include:
• Year 2009 – GhostNet, Stuxnet, Night Dragon, and Operation Aurora
• Year 2010 – Stuxnet continuing, the Australian Resource Sector, and the French Government
• Year 2011 – French Government (ongoing), the Canadian Government, the Australian Government, Comodo Affiliated Root Authority, RSA, Oak Ridge National Laboratory, L3 Communications, Lockheed Martin, Northrop Grumman, and the International Monetary Fund
There is an interesting and informative discussion of trends in predicting future APT targeting, APT attack methodology, and security practices and policies that might help organizations increase their resistance to APT attacks.
Nicholas Sheble (nsheble@isssource.com) is an engineering writer and technical editor in Raleigh, NC.
Wednesday, March 14, 2012 @ 05:03 PM gHale
Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
Recent well-designed ICS worms and cyber attacks such as Night Dragon, Duqu and Nitro have been revealed. Each of them has focused on stealing intellectual property such as oil field bids, SCADA operations data, design documents and other information that could cause business harm. This focus on industrial data compromise is new, and signals a new era of industrial malware.
When most people consider the motivation of worm creators and hackers, they think of the destructive focus of early cyber events like the Slammer worm or Mafia-Boy attacks. Nitro and Duqu show a different focus – subtle and persistent attempts to steal valuable information. This information could then be used to make a competitive or counterfeit product, out-bid a rival for an oil or mineral exploration lease, or coordinate a marketing campaign against a competitor’s new product.
RELATED STORIES
Justifying Security Investment
Defense in Depth: No Singular Approach
Time for a Revolution
Users Need to Push Security
Theft of process information for commercial espionage is nothing new. It has been around long before networks and cyber security showed up. Today, the profit potential for IP theft can be enormous. One consumer products company estimates that IP theft from its operations results in a nearly a billion dollars of counterfeit product produced and sold every year. This is money the company will never see.
These worms could also be precursors to later destructive attacks against automation systems. Clearly the Stuxnet designers collected detailed process information on their victim prior to actually creating their worm. Could the Duqu worm be a forerunner to a more destructive attack? Symantec certainly thinks so.
It is worth noting that the goal of Stuxnet was to impact production (of enriched uranium) rather than cause an explosion and kill people. So it is possible that the goal of this next generation of malware is to quietly stop production at a plant or utility somewhere in the world. Impacting the production of a competitor, short selling the shares of a company or extorting money under the threat of a disruption are all profitable activities for a criminal or nation-state group.
Security experts suggest the only solution is to go back to the days of completely isolated automation systems. Unfortunately, walling off a control system just isn’t feasible today. Modern industry and the technologies it depends on need a steady diet of electronic information from the outside world to operate. Cut off one source of data into the plant floor and another (potentially riskier) “sneaker-net” source replaces it.
Now industry and government can try to battle this trend by banning technologies and mandating complex and onerous procedures. We see this sort of strategy every time we try to board a plane and wait in long lines to take our shoes off and get our hair shampoo confiscated. Frankly, I don’t think it is effective or efficient security for air travel. It is even worse for companies that ultimately need to be profitable if they are going to stay in business.
Is the situation hopeless? No, but ICS/SCADA security practices must improve significantly. First, the industry needs to accept the idea that complete prevention of control system infection is probably impossible. Determined worm developers have so many pathways available to them that over the life of a system some assets will suffer compromise. The owners and operators need to adjust their security programs accordingly. In particular, security programs need to:
• Consider all possible infection pathways and have strategies for mitigating those pathways, rather than focusing on a single pathway such as USB keys
• Recognize no protective security posture is perfect, and take steps to aggressively segment control networks to limit the consequences of compromise
• Install ICS-appropriate intrusion detection technologies to detect attacks and raise an alarm when equipment suffers compromise or is at risk of compromise
• Look beyond traditional network layer firewalls, toward firewalls capable of deep packet inspection of key SCADA and ICS protocols
• Focus on securing last-line-of-defense critical systems, particularly safety integrated systems (SIS)
• Include security assessments and testing as part of the system development and periodic maintenance processes. Identify and correct potential vulnerabilities, thereby decreasing the likelihood of a successful attack
• Demand secure control products from automation systems vendors
• Work to improve the culture of industrial security amongst management and technical teams.
Implementing these changes will improve the “defense in depth” posture for all industrial control systems. They are needed urgently. If not, your operation might show up on TV, as the lead story in the news about a successful cyber attack.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.