Why Threats Not Always Disclosed

Monday, December 7, 2015 @ 04:12 PM gHale

By Nate Kube
On December 28, 2014, a German steel mill lost control of its blast furnace, which contained molten metal heated to thousands of degrees, reaching a critically dangerous operating condition.

The incident was a result of hackers infiltrating the mill’s control system. Nearly one year later, it is still unknown what exactly happened and when. The target has not been publicly revealed, nor where its location or why it was targeted. Neither the company nor authorities have issued additional information. Such lack of granularity is not by accident.

There are very sound, obvious reasons why organizations, such as the steel mill and the authorities, did not specify all the details of such major infrastructure attacks.

The Accidental Hacker
Control System Standards Working for You
Inspiring Cyberphysical Security into Design
Security: Time for OT, IT to Align Priorities

Many believe that disclosing such breaches could tarnish the company’s reputation, potentially resulting in a negative stock price. At the same time, attacks against the industrial Internet could end up treated by the legal community as criminal incidents, prohibiting extensive commentary and public discussion. But there are more nuances and technicalities worth understanding to better mitigate risk as we enter the industrial Internet age.

This month I would like to open up a discussion about whether OT can pursue cooperation and threat information sharing similar to IT, or whether its unique parameters will always limit attack disclosures.

Case in Point
Taking the German steel mill as an example, the attack first came to light in a report issued by Germany’s Federal Office for Information Security (BSI).

It explained the attackers gained access to the steel mill through the plant’s IT network, then successively worked their way into production networks to access systems controlling plant equipment. The attackers infiltrated the corporate network using a spear-phishing attack, sending targeted email appearing to come from a trusted source (a common IT attack method). The spear-phishing emails tricked the recipient into opening a malicious attachment or visiting a malicious web site, where malware was downloaded to a company computer.

Once the attackers gained a foothold on one system, they executed a lateral attack and explored the company’s networks, eventually compromising a “multitude” of systems, including industrial components on the OT network. That is the extent of publicly available knowledge on this “OT” attack.

IT Attack Disclosure
Contrast this disclosure to the IT attacks published frequently in mainstream media. Several high profile retailers ended up targeted for their customer data, and a major department of the U.S. government suffered an attack for employee personnel information. Multiple levels of each organization were interviewed, investigations were publicly detailed and discussed, and in the retail industry case, new types of POS systems were introduced. In the government case, leadership teams were held accountable and ramifications continue.

These well-known hacks of customer accounts at a series of retailers represented a penetration of the organization’s IT system, while infiltrating a control system to cause the German furnace explosion constituted an attack on the OT system. The nature of these two technology types helps explain one reason why security professionals deal with each of the two environments differently. It may also shed light on how threat disclosures, accordingly, are shared or not shared.

IT security occurs in the context of an IT stack with tools from many vendors – network, servers, storage, apps and data. The ecosystem undergoes periodic updating, with most hosts talking to many other hosts, and where there are frequent security patch cycles — in weeks or sometimes days — in response to expected and known cyber threats. Data (information) is what the enterprise is essentially protecting. IT varies by organization in terms of scope, and does not always include embedded technologies unless they are generating enterprise business data.

In OT, it is high-value, well-defined industrial processes that need protection, many of which execute commands across a mix of proprietary devices from varied manufacturers. Many of the devices and software used in operational environments are 10 to 30 years old. They were not originally designed to be connected externally, have not been patched very often, and are not designed to withstand many of the attack techniques commonly used today. Usually, the system is comprised of proprietary tools, making it “safer” to run on the open Ethernet and saving on costly switches and connections. The design of software-driven control systems in past decades evolved in isolation and was never ever subjected to the same scrutiny as Microsoft Windows operating systems and other enterprise software in the 1990’s and 2000’s. It was never hardened by millions of users and revised multiple times as threats evolved.

This technical context may help explain why on the IT level, security directors typically share information — it can potentially prevent damage across similar environments. Security in enterprise systems have come to rely extensively on sharing attack information and Indicators of Compromise (IoCs) identified in one system to help inform the protection of other systems, to quickly adapt defenses as the threat landscape evolves. An example of this is an IP Reputation database, which contains a table of IP addresses known to distribute malware, run phishing campaigns or host drive-by exploit websites. Disclosing a warning about a vulnerability impacting a well-known file-sharing program, for example, is common in enterprise settings. Notifying peers and the industry about IT-related viruses is also routine, including precise details about how the virus works and what can be done to eliminate it.

OT Knowledge Sharing
Establishing analogous information sharing infrastructure that pertains to OT has been challenging for several reasons. First is the increased risk to physical safety. Data loss is one level of risk. But human safety raises the stakes, and rightfully so, focusing the bulk of security efforts on controlling physical conditions such as work hazards, temperature controls and machine settings that are very specific to that operator. In the past, it could be observed that sharing information with employees to safely control physical operating environments was a higher priority for mitigating risks than sharing risk information externally.

Second, the differences in the technical implementation of control system networks changes how they are exploited, which limits how applicable the mass-disclosed threat information can be in OT. Except in the most trivial cases of misconfiguration allowing direct Internet access, attacks against OT originate either from a trusted insider (whether they are aware of instigating it or not), from compromised Enterprise workstations used as a network pivot, or from physically exposed infrastructure such as wireless interfaces. Threat intelligence sources that IT security solutions depend on, commonly referred to as “feeds,” have little relevance to the typical OT system. Sharing how a unique and possibly one-of-a-kind combination on systems ended up infiltrated may have little bearing on another, unique operating environment.

Third, OT security personnel recognize the increasing connectivity offering them new operational benefits is also bringing new risk. Some do not disclose security threats because they believe it will catalyze subsequent attacks at a time when they are still modernizing their environments, especially their levels of digital connectivity. Others do not want to inadvertently “instruct” future hackers on which physical device is prone to attack (and thus ideal to target). At a time when the physical and digital are converging, it may not make sense to disclose attacks until their new environments further stabilize.

In the “Art of War,” Philosopher Sun Tzu teaches, “If you know the enemy and know yourself, you need not fear the results of a hundred battles.”

Professionals in the OT and IT communities know their environments, and this enlightens their approach to security. IT has spent heavily on initial technologies and strategies, while OT is at the early beginnings of managing a security posture inclusive of digital and cyber. As devices and machine data evolve and intertwine, however, there may be more pressures on OT to adopt new ways of threat information sharing. Despite the limitations and technicalities that make operational situations unique, critical infrastructure providers can still pursue industry-specific forums and peer relationships to enhance protective measures.

In my next column, I will also detail the different system types and steps these providers can take to mitigate risks today.

Wurldtech's Nate Kube.

Wurldtech’s Nate Kube.

Nate Kube founded Wurldtech Security Technologies in 2006 and as the company’s Chief Technology Officer is responsible for strategic alliances, technology and thought leadership. Kube has created an extensive Intellectual Property portfolio and has filed numerous authored patents in formal test methods and critical systems protection. Wurldtech is an independent subsidiary of GE, which acquired the company in 2014.