Posts Tagged ‘Night Dragon’
Wednesday, November 6, 2013 @ 05:11 AM gHale
By Gregory Hale
It is very easy to take a fatalistic approach to security because it seems attackers have the upper hand, but it doesn’t have to be that way.
“The bottom line is the bad guys are winning and we must take action,” Jeff Zindel, cyber security business leader at Honeywell Process Solutions said Wednesday during his keynote address at the 2013 Honeywell User Group (HUG) EMEA conference in Nice, France. “We must take a proactive approach to cyber security.”
With all the successful attacks and intrusions that have covered all or parts of the industry over the past three years or so, it could be easy to get lost in the hype and hysteria.
The big name attacks were Stuxnet, Shamoon, Flame, Duqu, Night Dragon, Operation Aurora, Red October and Gauss to name a few.
Industrial control systems (ICS) attacks have had a compounded annual growth rate of 54 percent, Zindel said.
Some of the drivers behind attacks are technology costs have decreased; network connections are multiplying, information sharing has grown and people are learning they can make money with attacks. While the better known cyber bad guys — like nation states, hacktivists, and cyber spies – make up a strong list of perpetrators, there is also the inside threat that provides a twist on the attack scenario.
“Inside threats represent a tremendous threat,” Zindel said. “I call them the Snowden affect. They are very hard to catch and detect.” In addition, Zindel talked about the insider risks, where trusted resources suffered a compromise where malware may have landed in a home computer and these people download that virus and unwittingly introduce it into the workplace.
With threats coming from the inside and from the outside, manufacturers have to build a solid security program.
“Building a fortress is not enough,” Zindel said. “A hard shell is not enough; air gapped islands are not enough. We need to protect from the inside out as well as from the outside in.”
“We have a path to fight the problems, a dedicated services program, a program to run just as you would run your safety program. Cyber security must be treated as a dedicated continuous program, not an event.”
There needs to be more than just one aspect of security. “Embedded security is good, but it is not enough,” Zindel said. There has to be more with ongoing solutions, systems, tools and services. No solution fits everyone’s needs, so an integrator and end user need to work together to find the right answers, he said.
Whether getting started with a security program or after you have one installed, there are some questions you need to ask to ensure you have the right focus:
• Do you know your current security risk?
• Have you identified your high value targets in systems and operations?
• What measures are you taking to protect those targets?
• Assume you have been attacked and are you aware?
“The final question you have to ask is are you ready because the attackers are coming,” Zindel said.
Tuesday, October 15, 2013 @ 06:10 PM gHale
By Gregory Hale
Levels of cyber security awareness just keep increasing throughout the industry.
“From 2006 when I first started at Invensys people were talking about firewalls and how that made them secure,” Doug Clifton said Tuesday during the Invensys Software Conference and Tech Support Symposium in Dallas, TX. “From 2006 to today you can just see the increase in awareness. The thought process is changing to thinking about installing applications.”
With all the big attacks in the news like Stuxnet, Night Dragon and Shamoon, security awareness obviously has grown with security professionals, but the good news is it has also risen with the rank and file workers on the plant floor.
“You are hearing about security more than just at work,” said Clifton, director of Invensys Operations Management’s Critical Infrastructure Security Practice. “Just yesterday, my kids’ school sent home a note about cyber security. So, it is all around us. Awareness is there.”
“When I started, security was all about being an insurance policy. Today we can also make the network performance much better. The goal is to protect the network from various things – even themselves.”
There are companies that talk about security compliance and some that talk about tactical solutions, but Clifton said they should be somewhere in between where they are compliant to best practices and standards.
As the awareness increases, some people will talk about doing a penetration test to attack a system to find weaknesses. But Clifton talks about doing a vulnerability assessment.
“We want to get the basics introduced,” he said. “After a while we may get to the point of doing a penetration test, but we are not there yet. We want to bring in best practices. We don’t want to focus on the big monster of NIST standards. We want to deal with the basics on how you can protect yourself without breaking the bank. We find we have clients that are not sure what they have that needs protecting.”
He talked about one case where he went into a manufacturer and they told him they were not sure why they needed security at all. They were a small company that was producing a simple product. As it turned out they were making a good bit of revenue off a new type of coating that would ensure their customers would only have to apply it once a year instead of the usual twice a year. That, they said, would save their customers time and money. Clifton then told them, wouldn’t you want to ensure your intellectual property – in this case an industry leading product – would stay in your possession and not fall into the hands of a competitor. That is when they understood why then needed a security program.
“Securing intellectual property is pretty fundamental along with safety of personnel. Not enough people give credence to security intellectual property.”
Yes awareness is on the increase, but often times Clifton and his team have to go into a user and just sit down and have a conversation on their objectives.
Security will mean there will be changes, and it will not be business as usual. The main goal is to not add in levels of complexity. We want to take it and make it more robust and create an environment that is not impactful to their work.
“Going from zero to secure is a pretty big step,” he said. “There are intermittent goals along the way. It is a journey. The further along they are in the journey, the better the questions they ask.”
Thursday, March 14, 2013 @ 05:03 AM gHale
By Gregory Hale
Patching is often ineffective in providing protection from the multitude of vulnerability disclosures and malware targeting critical infrastructure systems today, new research shows.
While patching such systems is important as part of an overall defense in depth strategy, the difficulties of patching for industrial systems mean that compensating controls are often a better method of providing immediate protection, according to research from Tofino Security.
Since the discovery of the Stuxnet malware in 2010, industrial infrastructure has become a key target for security researchers, hackers, and government agents. Designed years ago with a focus on reliability and safety, rather than security, Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) are often easy to exploit.
As a result, there has been exponential growth in government security alerts for these systems in the past two years. In addition, they have attracted some of the most sophisticated (Stuxnet, Night Dragon, Flame) and damaging (Shamoon) cyber attacks on record.
The report, conducted by Eric Byres, CTO and vice president of engineering at Tofino Security, found:
• The number of vulnerabilities existing in SCADA/ICS applications is high, with as many as 1,805 vulnerabilities not yet found existing on some control system computers. After analyzing the amount of software on the average control PC in a refinery and then using a metric called Defect Density to calculate the number of expected vulnerabilities, the research showed this one refinery had 1,805 possible vulnerabilities for the average PC.
• The frequency of patching needed to address future SCADA/ICS vulnerabilities in controllers and computers likely exceeds the tolerance of most SCADA/ICS operators for system shutdowns. Unlike IT systems, most industrial processes operate 24×7 and demand high uptime. Weekly shutdowns for patching are unacceptable.
• Even when a user can install patches, they can be a problem. There is a 1 in 12 chance any patch will affect the safety or reliability of a control system, and there is a 60 percent failure rate in patches fixing the reported vulnerability in control system products. In addition, patches often require staff with special skills. In many cases, such experts often do not have proper certification for access to safety regulated industrial sites.
• Patches are available for less than 50 percent of publicly disclosed vulnerabilities.
• Critical infrastructure operators are reluctant to patch as it may degrade service and increase downtime.
When patching is not possible, or while waiting for a semi-annual or annual shutdown to install patches, an alternative is to deploy a workaround, also known as a “compensating control.” Compensating controls do not correct the underlying vulnerability; instead, they help block known attack vectors. Examples of compensating controls include product reconfigurations, applying suggested firewall rules, or installing signatures that recognize and block malware.
Another compensating control is rule and protocol definitions that address newly disclosed vulnerabilities. They provide a way for automation system vendors to create and securely distribute malware protection. Operators benefit from a package of tailored rules they can install without impacting operations. The result is critical industrial infrastructure facilities can quickly and effectively defend themselves against new threats.
“My research highlights the multiple challenges with patching for SCADA and ICS systems,” Byres said. “To secure facilities, critical infrastructure operators should pursue a defense in depth strategy that includes patching when possible, and use compensating controls for protection when patching is not possible.”
Click here for more information on ICS and SCADA patching from Eric Byres.
Wednesday, August 29, 2012 @ 08:08 PM gHale
By Richard Sale
One year after U.S. cyber investigators uncovered a five-year-old Chinese hacking venture called Shady RAT that looted “trillions of dollars worth of intellectual and corporate data from U.S. companies,” the response of the corporations to the threat is still loosely coordinated and ineffective, former U.S. intelligence officials said.
“Companies think first of their shareholders or shielding their name, not safety,” one official said. “They have a phobia about publicity.”
“This is a very sensitive matter which companies find it hard to talk about or address,” another official said. “They feel that the government should be protecting them when, in fact, they should be protecting themselves.”
Whether this means companies are ignoring the attacks or they are quietly hiking their security posture remains unclear, the result is in most cases, it has been ineffective, sources said, and yet more companies, like oil giant Saudi Aramco, are suffering from major targeted attacks.
Even the U.S. patent offices “are a very attractive target for espionage,” said James Lewis, a cyber expert at CSIA in Washington. “For hackers, its one-stop shopping. Why waste time when you can you can go to the source and get the finished product.”
Shady Rat is no different than other attempts by China to evade security and loot the property of U.S. corporations and federal agencies. They have been looting U.S. banks of hundreds of millions of dollars a year, said Lewis. Only one bank, Citi group went public with their losses.
In a 14-page report issued last year, the security firm, McAfee listed “72 companies in 14 countries it claimed have been the victim for more than five years of cyber attacks siphoning intellectual property – including government data, business dealings and corporate research.”
Victims included government bodies in the United States, Taiwan, South Korea, Vietnam and Canada, said Dmitri Alperovitch, vice president of threat research at McAfee. Fifty of the victims included “corporations government agencies (particularly defense contractors) and nonprofits based in the United States. Other sites infiltrated included the United Nations and Associated Press.”
U.S. patent offices “are a very attractive target for espionage. For hackers, its one-stop shopping. Why waste time when you can you can go to the source and get the finished product.”
– James Lewis, CSIA cyber expert
One U.S. intelligence official said that malware has been removed from most sites, but said the case is still “on-going.” The weapon used by attackers was the common email.
In the case of the United Nations, the hackers broke into the computer system of its secretariat in Geneva in 2008, hid there for nearly two years, and combed through reams of secret data, McAfee said.
“Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” Alperovitch said in the report.
“What is happening to all this data … is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”
McAfee learned of the extent of the hacking campaign in March 2011, when researchers discovered logs of the attacks while reviewing the contents of a “command and control” server they discovered in 2009 as part of an investigation into security breaches at defense companies.
It called the attacks “Operation Shady RAT” and said the earliest breaches date back to mid-2006, though there might have been other intrusions. (RAT stands for “remote access tool,” a type of software that hackers and security experts use to access computer networks from afar).
Some of the attacks lasted just a month, but the longest — on the Olympic Committee of an unidentified Asian nation — went on and off for 28 months, McAfee said.
In February 2011, McAfee warned hackers working in China broke into the computer systems of multinational oil and natural gas companies to steal bidding plans and other critical proprietary information. Exxon Mobil, Royal Dutch Shell, BP, Marathon Oil, ConocoPhillips and Baker Hughes were the six companies targeted in the attack.
“Night Dragon” attacks relied on a combination of spear-phishing, social engineering, Windows bugs and RATs to guarantee success. The catch is none of the tactics were particularly sophisticated, said McAfee, which uncovered the assault emanating from China and consisting of covert attacks targeting oil, energy and petrochemical companies as far back as November 2009.
“(The attacks) were very successful,” Alperovitch said. The information the hackers obtained had huge value to competitors.
That information included financial documents related to oil and gas field exploration and bid negotiations, as well as operational details on oil and gas field production supervisory control and data acquisition (SCADA) systems. That attack showed security needs to be strong from the field all the way through the enterprise. You never know where the attack could occur.
Friday, July 13, 2012 @ 09:07 AM gHale
By Nicholas Sheble
“APTs (advanced persistent threats) are not a ‘what,’ but a ‘who,’” said Daniel Teal the chief technology officer at CoreTrace. It’s particular people who are after you, your products, or what you know, your information.”
“They have resources, expertise, and the time to get you.” APTs have delivered the famous cyber attacks that are familiar in the mainstream like Stuxnet, Aurora, Night Dragon, and others.
An advanced persistent threat (APT) is a cyber threat or cyber attack where the hacker has the ability to evade detection and the capability to gain and maintain access to well-protected networks and the sensitive information in them.
The hacker is adaptive and well resourced. The persistent nature of the threat makes it difficult to prevent access to one’s computer network and, once the threat actor has successfully gained access to one’s network, very difficult to remove.
The hacker has not only the intent but also the capability to gain access to sensitive information stored electronically. ISSSource has reported before on APTs and the website contains an informative white paper on them.
Beyond discussing the objectives of APTs, Teal spoke Thursday during a company webinar entitled “Combating Advanced Persistent Threats: The Case for Application Whitelisting-based Solutions,” about potential targets, what the primary weapons include (like memory attacks), and the best solutions to stave off such attacks.
One of those methods includes a compelling case for application whitelisting-based advanced threat protection platforms.
Application whitelisting is a concept whereby only authorized applications can run on the network and its nodes. So rather than searching out malware using antivirus software, the system blocks everything — except those functions that the user designates to run.
The anti-malware applications of this technique suppose that malware never gets on the whitelist. As long as the whitelist remains malware-free then malware cannot run. Teal said whitelisting can stop all APTs.
Nicholas Sheble (email@example.com) is an engineering writer and technical editor in Raleigh, NC.
Tuesday, June 19, 2012 @ 06:06 PM gHale
Editor’s Note: This is Part I of an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
A very complex worm called Flame has been discovered attacking companies in the Middle East, and it is an excellent example of what security experts call an Advanced Persistent Threat (APT). Figuring out how to defend against APTs is a major focus in the IT security world.
Now while Flame was busy attacking the Middle East, I was in Abu Dhabi at the International Cyber Security Forum for Energy and Utilities, listening to a talk by Paul Dorey called “Advanced Persistent Threats – A Real Problem with Real Solutions.” Paul’s talk focused on security for the IT industry, but there were important lessons on managing attacks in the ICS/SCADA world.
First, a little background. APTs are carefully crafted attacks against a focused target designed to be effective over an extended period of time. Ricard Bejtlich in his TaoSecurity Blog says it well:
• Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture.
• Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
• Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term “threat” with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn’t degrade or deny data).
Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.
Now some people claim that APTs are just marketing hype, but Paul offered some chilling case studies showing that APTs are very real threats. Flame is also good example of an APT, but so are Stuxnet, Nitro, Night Dragon and Duqu. These are all attacks discussed in previous papers and blogs. Trying to wish away APTs as hype is a clear case of sticking one’s head in the sand.
Paul went on to discuss the seven advanced approaches that the best companies are using to deal with APTs. This column will discuss the first approach.
Advanced Approach #1 is to focus your protection efforts on your most important assets. It would be ideal to protect everything perfectly and do it all the time. Unfortunately modern systems, whether they are IT systems or control systems, have become too complex to achieve perfect and uniform security.
So the smart IT teams are focusing their scarce security resources on securing those assets that really matter to the survival of the company. They do not rely solely on a perimeter firewall to keep all the bad stuff out of the company (a technique known as a Bastion Model, which bases a security design on hiding behind a single monolithic solution which could result in the possibility of a single point of failure). Instead, they install additional layered defenses directly protecting key assets such as servers containing sensitive financial or intellectual property information.
There are good reasons for using this approach. The obvious one is that it allows a defense in depth strategy, rather than a bastion strategy. It also allows the company to focus additional money, effort and diligence on a few core assets. For example, it is a lot easier to carefully review the audit logs for two servers every day, rather than two hundred servers. Tasks that are highly focused are more likely to be carried out by over worked security staff.
The third reason is that these assets are the same ones the bad guys will focus on. Sure hackers and worms will go after any undefended computer, but in most cases these victims are just a stepping stone to the real target. Focusing your defensive efforts on the same things that your adversary is focusing on makes good security sense.
The strategy of focusing your defenses also works for ICS and SCADA security. Every control system has a few assets that would seriously impact production, safety or the environment if successfully attacked. These might be the safety integrated system (SIS) in a refinery, the PLC controlling chlorine levels in a water filtration plant, or the RTU in an electrical substation. Every control engineer knows what really matters to his or her particular operation. Aggressively protect this asset and the chance of a truly serious cyber incident is massively reduced.
Consider Stuxnet. Symantec reports the worm infected over 100,000 computers, 60% of these in Iran. But its ultimate target had to be the PLCs and drive controllers running the enrichment centrifuges. It wouldn’t have mattered if Stuxnet had infected one billion computers; if it could not get to the PLCs, it would have failed in its mission. Had Iran’s defense focused on protecting those PLCs, their enrichment process likely would never had been impacted. Clearly, they focused more on a bastion security model which ultimately failed them, allowing Stuxnet to impact at least 1000 centrifuges.
Don’t get me wrong, neither Paul nor myself are advocating to give up on defending less critical assets or the network in general. This makes no more sense than a knight giving up the field and hiding in his castle.
What is needed (and is missing) is a balanced approach to system security. As an industry, we focus on trying to defend the entire field and forget about the castle containing the royal family. As long as the battle remains in the open, we think we are doing well. But when Ninja assassins (with names like Nitro, Duqu and Flame) start to sneak in, defending every laptop and desktop won’t seem all that important once the grid is down or the plant is leaking toxic chemicals.
So install those firewalls and Intrusion Detection Systems between IT and ICS networks. Build yourself what NERC-CIP calls an Electronic Security Perimeter (ESP). There is nothing wrong with that as part of a security strategy. Just remember to balance it with a focused defense, protecting what really matters to your process or company. Forget to focus and we will win the battle, but lose the war.
Eric Byres is chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.
Wednesday, June 6, 2012 @ 05:06 PM gHale
By Gregory Hale
Critical infrastructure organizations should be on alert because they will be the target of a cyber attack before long.
Over exaggerated hyperbole from folks watching the cyber security environment? Hardly. Just cold hard facts.
If Flame taught the industry anything, it is professional hackers can get in and find out details and nuances of any system they want to. It seems Flame did just that, as Duqu did before that. What they are looking for and what they have in store for potential victims remains to be seen. But for now, operators of critical infrastructure should be on alert. Not only because of the possibility of being collateral damage in a cyber war incident, but also because, as Night Dragon showed, there are organizations, companies, and countries trying to get in and steal vital information.
In the Night Dragon case, the attackers compromised perimeter security through SQL injection attacks on extranet web servers; targeted spear-phishing attacks aimed at mobile workers’ laptops, and took control of corporate VPN accounts. They were able to get in and find out financial documents related to oil and gas field exploration and bid negotiations, as well as operational details on oil and gas field production supervisory control and data acquisition (SCADA) systems.
Companies today need to protect against any possible attack vector from any source globally. Just take a look at Stuxnet.
As ISSSource reported last September, we know Stuxnet was the creation of a joint U.S., Israel project. What continues to astound is the thought other operators of critical energy sources, like electric, water, oil, coal, and nuclear among others are not moving faster to create a solid defense in depth posture to keep out the bad code that can lead to the destruction of a facility.
The idea originally espoused once we learned about the originators of the Stuxnet worm and the targeted victims was: “It was the good guys against the bad so we are not a target.” That mindset seems to be winning out throughout the manufacturing automation industry. Unfortunately, that is a very misguided thought process. Protection is paramount.
Stuxnet is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The code, which is currently out on the Internet, used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures.
The worm used at least four zero-day exploits and had Microsoft Windows driver modules signed using genuine cryptographic certificates stolen from respectable companies, contained about 4,000 functions, and utilized advanced anti-analysis techniques to render reverse engineering difficult.
As ISSSource’s Richard Sale reported back in October, Stuxnet had its true origin in the waning moments of George W. Bush’s presidency in 2009, said former senior intelligence officials, one of whom worked for the National Intelligence office.
At the time, President Bush wanted to sabotage the electrical and computer systems at Natanz, which is a fuel enrichment plant in Iran. After Bush left office, President Barack Obama accelerated the program, these sources said.
The groundwork for the plan began much earlier though. In 2007, Idaho National Laboratory (INL) inked a development contract with Siemens the purpose of which was to help Siemens study its own computer weaknesses, the sources said. Quite a few suppliers have these types of pacts with INL to test platforms to find and resolve weaknesses.
In 2008, shortly after Siemens brought in the system for analysis, the Department of Homeland Security got wind of it and teamed with INL to study Siemens PCS 7 or Step 7 platform which runs all sorts of sensors and machines in the process control system, the sources said.
As it turned out the system they were testing was also the same system running the nuclear enrichment plant in Natanz.
While the technical plan of creating the Stuxnet virus was ongoing, Israel was training operatives, or as it turned out double agents, to plant the worm using a corrupt “memory stick.32,” said former and serving U.S. intelligence officials.
These sources, who requested anonymity because of their close proximity to investigations, said a saboteur at the Natanz nuclear facility, probably a member of an Iranian dissident group, used a memory stick to infect the machines there. They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility.
“Iranian double agents would have helped to target the most vulnerable spots in the system,” one source said. In October 2010, Iran’s intelligence minister, Heydar Moslehi said an unspecified number of “nuclear spies” were arrested in connection with Stuxnet.33 virus.
These acts against Iran will not go unpunished. It only makes sense Iran will find a way to fight back in this new era of cyber warfare. But put that thought aside for a moment, code is out there that has proven it can get into systems and take them over. Stuxnet code is on the Net and there for the picking. A modified version or just a copy cat can end up sitting on a system of choice just lurking and waiting for a moment to pounce.
Stuxnet is scary code. The cold hard fact is more manufacturers need to focus on creating a defense in depth plan.
Gregory Hale is the founder and editor of ISSSource.com.