Tuesday, December 23, 2014

Hackers Seriously Damage German Steel Mill

Facts Targeted attack on a steel plant in Germany.Method Using sophisticated spear phishing and social engineering, the attacker gained initial access to the corporate network at the steelworks. From there, they moved successively into the production networks. Damage inflicted Individual control components failed increasingly frequently, as did entire facilities. The failures resulted in a blast furnace suffering an uncontrolled shutdown. This resulted in massive damage to the system.Targeted groups Operators of industrial plants. Technical skills The technical capabilities of the attacker were evaluated as very advanced. The compromise extended from a number of different kinds of internal systems to industrial components. The know-how of the attackers was not only very sophisticated in the field of conventional IT security, but extended to a detailed knowledge of applied industrial control and production processes. This is a significant report. Industrial control systems (ICS) are generally built with many layers of protection – from physical safety systems, to cyber safety systems or safety instrumented systems (SIS), to equipment protection systems. These layers upon layers of systems are designed to protect not just equipment, but human life if ever an unsafe condition arises. All bets are off though, if these systems are compromised.

Lost in the media coverage of the Sony cyberattack is a German government report issued last week describing a cyberattack that resulted in “massive” damage to a blast furnace at a steel mill.

We've translated the full text of the German incident description below:

APT attack on industrial plants in Germany

From the limited information in the report, it looks like at least the physical safety systems worked, since there are no reports of injuries. But the systems at the site failed to protect the blast furnace from damage. The report states that as a consequence of the attack, an uncontrolled shutdown caused “massive” damage to the blast furnace.

Evolving best practice
This attack is a clear example of why best practices are evolving toward providing sophisticated, hardware-based protections for at least SIS and protection equipment. Software security protections, such as firewalls, are notoriously vulnerable to attack. A technically sophisticated attacker can compromise software-based defenses remotely over the Internet from the comfort and safety of anywhere they please. Hardware-enforced Unidirectional Security Gateways are gaining global attention as an industry best practice, embraced and endorsed by regulations and guidelines such as NERC CIP, IEC 62443-3-3, the ANSSI guidelines and others.

When it comes to protecting ICS, soft interiors need hard shells.

See what we had to say about the NSA Director’s recent comments about the capabilities of attackers to target ICS.

Friday, December 19, 2014

NSA Director Says Cyberattacks on Critical Systems a Matter of “When, Not If”

I recently had the opportunity to review the entire testimony of Adm. Michael Rogers, director of the National Security Agency (NSA) and head of U.S. Cyber Command, to the House Intelligence Committee hearing, available at C-SPAN. It seems the purpose of the testimony was to support an information-sharing bill. Now, I prefer to focus on intrusion prevention rather than sharing information about already-detected intrusions, but still I found that the admiral said a number of interesting things relevant to modern intrusions and the capabilities of our adversaries.

For example, Admiral Rogers said, among other things, in response to a question about the capabilities of “trojan horses” found on industrial control system (ICS) networks:

“There shouldn’t be any doubt in our minds that there are nation-states and groups out there that have the capability to do that – to enter our systems, to enter those industrial control systems, and to shut down – forestall our ability to operate – our basic infrastructure.”

This statement was big news, given that the admiral is the highest-ranked individual in the American administration to have admitted that our critical infrastructure could be hacked. But to people working in the critical infrastructure cybersecurity field, this is not news at all. Common wisdom has it that any site can be hacked if an adversary is given enough time, enough money and enough talent to do the hacking – and nation-states generally have all three in abundance.

The growing threat of nation-states
What was more interesting to me was when Admiral Rogers elaborated on this statement. The headlines that followed his testimony were all about China having the ability to shut down critical infrastructures, but the Admiral’s comments were clear – several nation-states have this capability and others are developing it, and other groups and even individuals are doing the same. For example, Admiral Rogers said that his agencies are seeing criminal gangs starting to use the tools and techniques that have historically been attributed only to nation-states. It would appear that some nation-states are outsourcing their cyberattacks. Organized crime has a long history in the cyber-security world and is responsible for the majority of malware and botnets which plague all computers connected to the Internet. The question we’d all like to see answered is, “what else will these criminal groups use these types of attack techniques for, and when?”

Admiral Rogers repeatedly gave the example of the Shamoon malware, which erased 30,000 computers on the Saudi Aramco corporate network. Erasing hard disks on a control system network is a comparatively low-tech attack, but it is unfortunately very likely to be an extremely effective attack. Modern infrastructure generally cannot be operated without human oversight, and control system computers are essential in providing such oversight. Erase enough control system hard drives and the physical critical infrastructure – the power plant or pipeline – must be shut down.

How long will it take to bring back up? The Admiral was vague here, and for good reason. How long a site takes to recover from a Shamoon-style attack on control system computers very much depends on the physical industrial process in question, and the recovery time depends on how thorough and how well-practiced our disaster recovery plans are. Do we have current back-ups for every part of the control system? Were any programmable logic controllers (PLCs) or other devices attacked and erased? Do we have back-ups of that equipment?

Information sharing alone is insufficient
Now, the focus of the Admiral’s testimony was the current information-sharing bill, and so “information sharing” was the remediation that he returned to time and again when questioned. I believe that information sharing is a good thing, but it is far from sufficient in terms of preventing a widespread outage of critical infrastructures. Information sharing only works after we have discovered the characteristics of a compromise so surviving infrastructure sites can try to detect similar compromises before they, too, are crippled.

Information sharing does little to prevent widespread, simultaneous compromise. Imagine, for example, a bit of malware disguised as a device driver security update-checking program. The program looks harmless – it reaches out to a plausible-seeming website periodically to check for updates. (For the record, there should be no route from control computers to the Internet to begin with, but that rule of security gets broken more often than not.) Of course, the website is a sham, and when this bit of malware downloads and runs a particular update, suddenly hundreds or even thousands of infrastructure sites malfunction simultaneously. Did information sharing save us?

There is obviously a time and a place for information sharing, but for most critical infrastructure ICS networks, strong intrusion prevention is more important than information sharing. Furthermore, since it is theoretically impossible to reliably ask some firewall or other intrusion detection software to differentiate “good software” from “bad software” (or even “good messages” from “bad messages”), hardware-enforced Unidirectional Security Gateways at critical infrastructure cyberperimeters are one of the few very effective tools we have at our disposal to defeat these modern threats and persistent, remote attack patterns.

Applying new cybersecurity best practices
Strong cyberperimeter protections must be part of the security response to these critical ICS threats. Unidirectional Security Gateways are the new industrial cybersecurity best practice, most recently included in the new ANSSI cybersecurity guidelines. Information sharing is a worthwhile program, but it will not save us if all we have protecting our critical networks is software.

Want to hear the latest news impacting industrial security? Follow Waterfall Security on Twitter: @WaterfallSecure.  

Tuesday, December 9, 2014

November news roundup: Turbulent times for the U.S. power grid

The vulnerability of U.S. critical infrastructure to a state-sponsored attack was confirmed this past month, as the director of the NSA, Michael Rogers, reported that China has the capability to cause damage to the nation’s power grid. Rogers’ concern held a lot of weight, since it came after CERT’s discovery that in the fiscal year of 2014, hackers targeted the U.S. power grid up to 79 times. Similar to Rogers’ warning about China, CERT believes reconnaissance was the motivation for these attacks, where hackers plant malware within industrial control systems in order to gather information for more sophisticated attacks later. The worry for CERT and the NSA lies in what these hackers are capable of, underscoring the need for utilities to deploy stronger-than-firewall cybersecurity alternatives to ensure the safety and reliability of critical control system networks. Read about these developing stories and more in this month’s news roundup:
In arguably the month’s biggest news story, the director of the NSA and head of U.S. Cyber Command, Admiral Michael Rogers, publicly confirmed that China and “one or two other countries” have the capabilities to launch a cyberattack that would effectively shut down the United States electric grid. Rogers claimed that U.S. adversaries are already performing reconnaissance operations throughout U.S. critical infrastructure, making an attack that would harm these pre-infected industrial control systems a real possibility. Because most of these cyberthreats are likely state- and government-sponsored, Rogers says that the next step in preparation will be determining how to classify an act of war.
The latest security vulnerability to critical infrastructure comes in the form of three defects that were discovered within products manufactured by Advantech, an industrial technology developer. The three vulnerabilities include an OS command injection, a stack-based buffer overflow and a buffer overflow. Advantech has indicated that it will not fix two of the vulnerabilities. A fix has been issued for the third, but only in the latest release of Advantech software, and the fix does not work if an earlier installation is upgraded to the latest release without first erasing the device. This report highlights the continued problem of a “soft interior” in most control system networks, a problem that is often addressed with strong network cyber and physical perimeter protections.
Throughout the 2014 fiscal year, U.S. energy companies were the targets of 79 hacking incidents, reports CERT. Although this represents an overall decrease from last year’s number of 145, the fact remains that the grid is constantly under the threat of an attack. These hacks were not aimed at immediately disrupting or taking over operation systems, but there is concern that this malware gives the attackers  a backdoor to grid systems where they could insert harmful programs in the future.”
The Department of Homeland Security and ICS-CERT identified the Russian Trojan horse, BlackEnergy, as a threat to U.S. critical infrastructure. BlackEnergy was initially discovered within software existent amongst oil and gas pipelines, water systems and power grids, covering the spectrum of most U.S. critical industries. Consisting of the same strain of malware developed by the Russian cyberespionage group, Sandworm, investigators are almost certain that BlackEnergy can be traced back to the same group.
Check out our October news roundup for even more industrial security news.

Tuesday, December 2, 2014

Security Through Obscurity?

As I attend cybersecurity and industrial conferences across the country and world, I often hear some great questions and comments. I also sometimes hear questions that concern me very much. On a number of occasions over the past year, utility representatives, industry leaders and even regulating authorities have asked questions about exposure. No, they are not asking how to limit their attack surface. Rather, they are interested in making sure that the systems they run, build or regulate are not published to the public. Each time I hear these questions, I get a little more scared, for here is another person, perhaps even an entire company, who believes that their security depends on (at least in part) the fact that no one in the world knows where they are or what software they run. This is called “security through obscurity” and it does not work.

These questions are asked in several different ways, which explains the motivation behind such inquiries. Some want to make sure they do not need to publically disclose the manufacturer of the control systems. Others want to submit generic RFPs so that “the bad guys” don’t know what software they are running. Some extremists even want to eliminate their facilities from online services such as Google Maps.

There’s no escaping the fact that we live in a connected world, and there are some robust tools developed by the cybersecurity community to identify and fingerprint live systems. For any host connected in almost any fashion to a network, security researchers and professionals can map the system details, which can include hardware information, such as CPU and memory; software information, such as operating system and version, and applications installed; and even location, in many cases.

There are tools such as Shodan that can allow anyone to search for industrial control systems connected to the Internet. Further, using social and business media websites such as LinkedIn, Facebook and even press releases, it is almost always possible to determine the software used within the control systems at any company. Technical forums can provide even more detail, such as version and even configuration information. 

The obscurity that we thought we had created is a myth. In many cases, the secrecy has been breached without hacking or direct access to any assets. To make a long story short, the “bad guys” already know what you are running and where. 

Of course, critical infrastructures should never publish the details of their systems, such as network diagrams or detailed device logic. However, to assume that no one knows a particular site runs GE iFix or Wonderware, for example, would be a mistake. To predicate one’s security program on the concept that no one knows this is a backwards way of thinking. Best-practice defense-in-depth security architecture should begin with the assumption that the attackers know what systems and software are running.

It is time to stop kidding ourselves into believing that only we know the details about our critical infrastructure, and it is time to start protecting our control systems. This starts by reducing the attack surface. With strong perimeter protection, proper cybersecurity awareness education and good vulnerability management as a starting point, we can go a long way in protecting the safe and reliable operation of our infrastructure. 

Want to learn more about strong cybersecurity? Check out our webinars page for a case study of a power plant.