By Gregory Hale
When thinking about a hack on the critical infrastructure entity like a utility, the first thought is it has to be a nation state attack. It is easy to jump to that conclusion even before looking and digesting the facts. It can happen to anyone from a researcher to an executive to a reporter covering the topic.

Hold on for one minute, just stop and look at all the facts, said Jason Larsen, ICS principal at IOactive during a session at S4x20 in Miami, FL, last week. He pointed that out when he gave a presentation saying it took him 14 hours to weaponize an attack on the grid — and he is not a nation state.

“In a fairly skilled attack, this is the time it would take,” Larsen said. “All things being equal, it would take about three weeks to create an attack similar to the Ukraine.”

As it turns out, Larsen was hired by an electric power utility to prove how long it could take to pull off an exploit chain and create an attack.

Schneider Bold

Those 14 hours involved analyzing an Ethernet-to-Serial gateway, finding exploitable bugs, writing exploits for those bugs, and constructing an implant that would manipulate some points during a later part of the engagement, he said.

In terms of the 2015 Ukraine attack, “We look at an APT (advanced persistent threat) as a super adversary with superior skills. We are viewing them with mystical powers,” Larsen said. “They didn’t have any advanced skills.”

While the group in the attacks against the Ukraine may have advanced skills, when you look at the actual attacks, they were not super sophisticated, so anyone could have pulled them off.

“This was totally doable by an individual,” Larsen said.

In incidents like the two separate attacks against the Ukraine power grid, the systems may not have been hardened enough to fend off an attack.

In any event, the types of attacks that show any kind of details are ones used as political statements, like Ukraine and Stuxnet, where an Iranian nuclear facility ended up falling under attack by the U.S. and Israel in an effort to slow down or stop the country’s nuclear enrichment program.

In a non-political incident, when there is a cyber attack, the attackers always look to clean up the system after the attack occurs to erase their presence.

“The clean-up phase is to make people think it was a system hiccup,” Larsen said. So, if there is a slight blip in the system and it appears nothing is there, operators can just “blame it on the process. But if it is a cyber incident, you don’t get a second bite at the apple.”

Larsen added there was no clean up on Stuxnet and Ukraine. “These were political statement attacks.”

In explaining the Ukraine attacks Larsen said the bad guys were learning as they went along.

“The first Ukraine attack had a denial of service, but they didn’t know the system,” he said. “The team was skilled in IT hacking, but not skilled in ICS. The second Ukraine attack, they were more knowledgeable. They progressed and they were talking a bit better.”

But they were still not literate in the ICS control environment.

Related to not being literate, Larsen said there are two payloads when it comes to an attack, the physics payload and the cyber payload.

“Neither Ukraine attack showed they had any knowledge of the physics payload,” he said. “It was super sexy to report it was an APT, but they didn’t have competence in ICS control.”

That leads Larsen to say more security professionals need to spend time working on and developing the basics. Because, if it only took him 14 hours to create an attack, others can do the same thing.

“Some dude in the basement could have written the exploit,” Larsen said.

Don’t fall for the hype of a reported attack. Understand what it is and know if you have the basics down, you can prevent an attack from occurring.


Pin It on Pinterest

Share This