December news roundup: Critical infrastructure cyberattacks overshadowed by Sony data breach

• “Hack attack causes ‘massive damage’ at steel works” via the BBC

• “Low-risk ‘worm’ removed at hacked South Korea nuclear operator” by Meeyoung Cho at Reuters

• “A cyberattack may have caused a Turkish oil pipeline to catch fire in 2008” by Ariel Bogle at Slate

• “Iranian hackers targeting critical infrastructure across the globe” by Amanda Vicinanzo at HSToday

In what was one of the biggest cybersecurity stories of 2014, Sony Pictures fell victim to a major data breach where terabytes of information was stolen that was then slowly leaked to the public over the course of weeks. The ensuing scandal over embarrassing executive emails and the revelation that North Korea may have been the culprit, spurring fears of cyberwar, dominated the December headlines. It overshadowed other important industrial cybersecurity stories with implications for the state of the industry as we head into 2015. These stories included the disclosure of a cyberattack against a German steel mill that caused massive damage to a blast furnace, and the discovery of a computer worm that was removed from devices connected to industrial control system (ICS) networks at a South Korean nuclear operator. Read about these developing stories and more in this month’s news roundup:

The German Federal Office for Information Security (BSI) disclosed in its annual report a cyberattack against a steel mill blast furnace, causing massive physical damage. Hackers were able to infiltrate the plant by stealing the credentials of employees that had access to control system networks. This is a major cyberevent, and serves as a wake-up call for the evolving capabilities of modern-day adversaries as it is one of the best examples of how a cyberattack can be a threat to safety and reliability.

When investigating a non-critical data breach from earlier in the month, a South Korean nuclear facility discovered a computer worm on certain devices that were connected to control system networks. While no control systems were compromised by the virus, it underscores the security concerns of IT corporate networks with critical OT networks. Any control system network connected directly or indirectly to the internet must have security defenses in place to ensure the continued safety and reliability of protected systems.

In what would surely require a re-write of industrial cybersecurity history, Bloomberg reported that a cyberattack was behind a Turkish oil pipeline fire in 2008. If the report is accurate, then the incident took place two years before the infamous Stuxnet worm damaged centrifuges at an Iranian nuclear facility. The Turkish oil pipeline event would be one of the earliest-known examples of a high-impact cyberattack on critical infrastructures. For the world, it’s just another reason why cybersecurity is just as important as physical security.

Iranian hacker activity has picked up around the globe, compromising computer networks, government agencies and critical infrastructure sites in the U.S. in a campaign called “Operation Cleaver.” While Iranian hackers are nothing new, the story offers evidence that the threats out there are real and they need to be taken seriously. With new recruits coming in daily, our adversaries and their capabilities keep getting stronger. Critical infrastructures need to keep strengthening their defenses as well, including the latest best practice, stronger-than-firewall protections, to stay one step ahead.

Want to read more industry news? Check out our November news roundup. 

NSA Director Says Cyberattacks on Critical Systems a Matter of “When, Not If”

I recently had the opportunity to review the entire testimony of Adm. Michael Rogers, director of the National Security Agency (NSA) and head of U.S. Cyber Command, to the House Intelligence Committee hearing, available at C-SPAN. It seems the purpose of the testimony was to support an information-sharing bill. Now, I prefer to focus on intrusion prevention rather than sharing information about already-detected intrusions, but still I found that the admiral said a number of interesting things relevant to modern intrusions and the capabilities of our adversaries.

For example, Admiral Rogers said, among other things, in response to a question about the capabilities of “trojan horses” found on industrial control system (ICS) networks:

“There shouldn’t be any doubt in our minds that there are nation-states and groups out there that have the capability to do that – to enter our systems, to enter those industrial control systems, and to shut down – forestall our ability to operate – our basic infrastructure.”

This statement was big news, given that the admiral is the highest-ranked individual in the American administration to have admitted that our critical infrastructure could be hacked. But to people working in the critical infrastructure cybersecurity field, this is not news at all. Common wisdom has it that any site can be hacked if an adversary is given enough time, enough money and enough talent to do the hacking – and nation-states generally have all three in abundance.

The growing threat of nation-states

What was more interesting to me was when Admiral Rogers elaborated on this statement. The headlines that followed his testimony were all about China having the ability to shut down critical infrastructures, but the Admiral’s comments were clear – several nation-states have this capability and others are developing it, and other groups and even individuals are doing the same. For example, Admiral Rogers said that his agencies are seeing criminal gangs starting to use the tools and techniques that have historically been attributed only to nation-states. It would appear that some nation-states are outsourcing their cyberattacks. Organized crime has a long history in the cyber-security world and is responsible for the majority of malware and botnets which plague all computers connected to the Internet. The question we’d all like to see answered is, “what else will these criminal groups use these types of attack techniques for, and when?”

Admiral Rogers repeatedly gave the example of the Shamoon malware, which erased 30,000 computers on the Saudi Aramco corporate network. Erasing hard disks on a control system network is a comparatively low-tech attack, but it is unfortunately very likely to be an extremely effective attack. Modern infrastructure generally cannot be operated without human oversight, and control system computers are essential in providing such oversight. Erase enough control system hard drives and the physical critical infrastructure – the power plant or pipeline – must be shut down.

How long will it take to bring back up? The Admiral was vague here, and for good reason. How long a site takes to recover from a Shamoon-style attack on control system computers very much depends on the physical industrial process in question, and the recovery time depends on how thorough and how well-practiced our disaster recovery plans are. Do we have current back-ups for every part of the control system? Were any programmable logic controllers (PLCs) or other devices attacked and erased? Do we have back-ups of that equipment?

Information sharing alone is insufficient

Now, the focus of the Admiral’s testimony was the current information-sharing bill, and so “information sharing” was the remediation that he returned to time and again when questioned. I believe that information sharing is a good thing, but it is far from sufficient in terms of preventing a widespread outage of critical infrastructures. Information sharing only works after we have discovered the characteristics of a compromise so surviving infrastructure sites can try to detect similar compromises before they, too, are crippled.

Information sharing does little to prevent widespread, simultaneous compromise. Imagine, for example, a bit of malware disguised as a device driver security update-checking program. The program looks harmless – it reaches out to a plausible-seeming website periodically to check for updates. (For the record, there should be no route from control computers to the Internet to begin with, but that rule of security gets broken more often than not.) Of course, the website is a sham, and when this bit of malware downloads and runs a particular update, suddenly hundreds or even thousands of infrastructure sites malfunction simultaneously. Did information sharing save us?

There is obviously a time and a place for information sharing, but for most critical infrastructure ICS networks, strong intrusion prevention is more important than information sharing. Furthermore, since it is theoretically impossible to reliably ask some firewall or other intrusion detection software to differentiate “good software” from “bad software” (or even “good messages” from “bad messages”), hardware-enforced Unidirectional Security Gateways at critical infrastructure cyberperimeters are one of the few very effective tools we have at our disposal to defeat these modern threats and persistent, remote attack patterns.

Applying new cybersecurity best practices

Strong cyberperimeter protections must be part of the security response to these critical ICS threats. Unidirectional Security Gateways are the new industrial cybersecurity best practice, most recently included in the new ANSSI cybersecurity guidelines. Information sharing is a worthwhile program, but it will not save us if all we have protecting our critical networks is software.

Want to hear the latest news impacting industrial security? Follow Waterfall Security on Twitter: @WaterfallSecure.  

October news roundup: Are we ready for cyberwarfare?

•  “Control systems are under attack: 4SICS” by Tony Morbin of SC Magazine UK

• “Pharmaceuticals, Not Energy, May Have Been True Target of Dragonfly, Energetic Bear” by Sara Peters of Dark Reading

•  “Cyber Weapons Hold ‘No Taboo’ For States” by Jimmy Nicholls of Computer Business Review

• “Sandworm Team Went After Firms Running SCADA” by Phil Muncaster of InfoSecurity Magazine

• “Exploring the 'insecure by design' blind spot in industrial systems” by Peter Behr and Blake Sobczak of E&E News

The rising likelihood of cyberwarfare has been a prominent topic over the last couple of weeks in industrial cybersecurity press. The reports that politically-motivated hackers have no reservations when it comes to launching large-scale cyberattacks against a nation’s critical infrastructure did not mesh well with the news that most industrial control systems are understaffed and underprepared for the possibility of cyberwarfare. Attacks have become increasingly sophisticated, and hackers are determined to get around common firewall defenses through whichever means possible. Overall, this makes the ensured protection of our critical infrastructure all the more important. Here are some recent reports on the topic:

The lack of cyberattacks that have been directed at industrial control systems (ICS) in the past has made them extremely susceptible to future attacks, according to SC Magazine’s correspondent at the Stockholm International Summit on Security in ICS. Because control systems aren’t under attack from advanced threats, such as malware, nearly as much as large enterprises are, the likelihood of a successful hacking attempt is troublingly high. According to the article, there’s little incentive among critical infrastructure security professionals to fix a crisis that hasn’t occurred yet.

The motives behind hacker groups Dragonfly and Energetic Bear may have been misinterpreted all along, according to a new report from Dark Reading. The article claims that compromised companies were not from the critical energy sector, but rather suppliers for OEMs that served pharma and biotech. Dragonfly’s malware concentrated on uploading malicious code into systems that would reflect real-world ICS configurations. The targeted companies’ “trojanized” computers were connected to industrial control system utilities and drivers.

Stewart Baker, a former general counsel for the NSA, warns the industry that organizations have no reservations toward using cyberweaponry as a means to gain power on the international stage. This suggests that the future of international disputes will be settled on a digital battlefield, with the primary target being critical infrastructure, an area where knowledgeable political hackers know they can do a lot of damage.

Security professionals have discovered that Sandworm, a hacking organization with links to Russian cyberespionage, are likely going after industrial SCADA systems that use products from GE Intelligent Platforms by way of malware. Researchers from Trend Micro claimed that the hackers used files that run through the application, CIMPLICITY, in order to gain closer access to the programs that run in conjunction with SCADA systems.

Peter Behr and Blake Sobczak look at how a large amount of basic vulnerabilities affecting power grids, factories and pipelines have gone largely unaddressed. This is as a result of the sensors and remote controllers that play a huge role in transferring vital data throughout ICS being built without cybersecurity in mind. Thus, critical infrastructure is left with a gaping flaw in security by the design of the systems themselves.

Want to read more? See what we had to say about cyberwarfare earlier this year.

Cyberwarfare is a bigger threat to U.S. than terrorism – now what?

Defense News released last week the results of a poll in which nearly half of the U.S. national security leaders who responded cited cyberwarfare as the most serious threat facing the country, ranking it higher than terrorism or China. The alarm bells have been ringing for some time now – the sound got louder last year, when President Obama issued an executive order to update the National Institute of Standards and Technology (NIST) cybersecurity framework. With this latest survey it seems that a consensus is starting to emerge that yes, cyberattacks are a real threat and something must be done to better secure the nation’s critical infrastructures.  While it’s encouraging to see this issue finally getting the attention it deserves, the question still remains “will anything will be done about it?”

Unfortunately, it will probably take a large-scale attack for some utilities to get serious about improving security defenses. This is because many utilities base their risk models on the likelihood of an attack – and without a significant event to reference, the probability of future attack must be low, right? In fact, all it takes is one significant event to trigger the risk models, and no utility wants to become the new poster child for critical infrastructure cyberattacks – one that will be talked about and analyzed for years to come. While the first big attack will almost certainly light a fire underneath utilities, this isn’t something we can afford to wait for when power, or clean water, or clean air for millions of people are at risk.

There is progress to report. The North American Electric Reliability Corporation (NERC) recently updated its Critical Infrastructure Protection (CIP) standards to Version 5, which is a marked improvement over Versions 3 and 4. These standards will go a long way in bringing power grid security up to par by encouraging the adoption of new technologies that are stronger than firewalls.

Firewalls are no match for the advanced level of today’s cyber threats. It’s like going into battle using paper clips for armor. Years ago, a lot of us were confident that a firewall would block the vast majority of cyberattacks, whether we were right or not. Nowadays, firewall limitations are well-known in both white-hat and black-hat communities. The problem is that security practitioners in utilities often have trouble communicating this risk to the management teams who control security budgets. These teams often don’t understand just how poor their defenses are until someone shows them how easy it is to breach those defenses. Hiring a penetration tester is a good way to expose poor defenses, before our enemies do.

NERC has recognized the value of Unidirectional Security Gateways. What will it take to communicate the risk to other decision-makers? Sometimes what it takes is a security breach – malicious or benign – to change our thinking. Better a white-hat penetration-testing breach, than waiting to become a poster child for a black-hat cyberattack.