Attacks/Breaches

7/12/2018
10:30 AM
Wayne Lloyd
Wayne Lloyd
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

ICS Security: 'The Enemy Is in the Wire'

Threats to industrial control systems are real and frightening. The government is taking steps to keep us safer in the future, but there are near-term steps you can take right now.

"The enemy is in the wire." During the Vietnam War, this call would ring out to alert everyone that the enemy was in the perimeter of fortifications. In our cyber world, we've known this for years; however, the call rang frighteningly true in May of this year.

This particular enemy was first discovered in August 2017, as a new piece of malware, now known as Trisis. A Middle Eastern oil and gas company found the malware when its industrial equipment started shutting down. 

This company, which to date has not been named, called Saudi Aramco to help investigate software found on some of its computer systems. Together with experts from Mandiant, they discovered a new cyber weapon with echoes of Stuxnet, which was used to attack and disable Iran's uranium enrichment plant by making centrifuges spin at self-destructive speeds.

This new cyber weapon, however, was not designed to directly destroy a piece of equipment. It was designed to degrade what is known as a safety instrumented system, commonly used to monitor systems in nuclear power plants and oil and gas refineries. If Trisis had worked, the equipment would have gone past redline, creating catastrophic damage and potential loss of life. However, the creators of Trisis made a mistake, and the safety systems worked to shut down the equipment.

Now fast forward to May 2018. Researchers at startup Dragos announce that Trisis has been modified, infecting other safety instrumented systems. The shocking part is that this version of Trisis wasn't found in Middle East industrial systems, but in industrial systems inside the United States. The enemy is now truly in the wire.

What would happen if an industrial control system (ICS) were attacked and destroyed? We don't have to speculate. In December 2015, the Ukrainian power grid was disabled by malware called Crash Override. The Ukrainian grid was compromised by a phishing attack that originated in the IT system and jumped into the operational technology (OT) system. Researchers believe it was part of the Russian campaign to annex the Crimean Peninsula. That's a real-world example. But long-term outages will lead to consequences that the civilian population of a modernized country can't handle well, according to the Defense Science Board Task Force on Resilient Military Systems and the Advanced Cyber Threat report.

Taking out the grid would be painful, but the grid can be brought back online. To really cripple large parts of the US, enemies could target our massive electricity-producing generators, which are made in China and India. Electric companies don't keep spares on hand, and it can take a year to build one. In World War II, we started bombing the factories instead of going after the finished planes on runways. If you take out the means of production, the rest goes downhill rapidly. If the generators are destroyed by compromising safety instrumented systems, it would indeed go badly for the population.

For example, in the many months it would take to get replacements from China or India, food and medicine distribution systems would become ineffective. Grocery stores typically only keep enough food on hand for three days. Without power, air conditioning and heat will not work, which can be deadly to the young and elderly. Traffic systems would be disabled, causing gridlock and preventing needed supplies and help from reaching those in need. Law enforcement and emergency personnel capabilities would be barely functional in the short term and become dysfunctional over sustained periods. Our military would have to be diverted to help the homeland civilian population. If timed right, a nation-state would be able to take advantage of allies that depend on US military support for their defense. The end results are truly dire. 

Because of this scenario, the US government is taking strategic steps to help counter the threats to the nation's critical infrastructure. The Department of Homeland Security has a program called the Apex Next Generation Cyber Infrastructure, which according to its website, "addresses the challenges facing our nation's critical infrastructure sectors, enabling infrastructure to operate effectively, even in the face of sophisticated, targeted cyberattacks." Similarly, the Department of Energy (DOE) in March 2018 released its Multiyear Plan for Energy Sector Cybersecurity, detailing its own cyber strategies. Both are long-term efforts; the DOE plans will be fully in place in four years. 

Meanwhile, there are near-term things that can be done to improve the security of industrial systems:

  • A full accounting of what is on OT and IT systems should be done first, to identify what is present, how the identified systems are configured, and how they can pass data throughout the network.
  • Then organizations can identify ICS and network devices that should be decommissioned and replaced with new and more secure devices.
  • Next, organizations should implement network segmentation, where possible.

Obviously, this is not foolproof, but it does add more complexity that attackers must overcome in order to compromise an ICS. More time could lead to them being caught before they can compromise anything. 

This is intensive work, but it is work that must be done in order to determine what is most at risk. Companies can and should take steps to make their OT and IT systems resilient. What is a resilient system from a cybersecurity perspective? It is a system that is hard to hit, can detect incidents immediately, and can respond rapidly. The foundation for resilience is first knowing your environment completely.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Wayne Lloyd has over 25 years of field experience in information technology, with the last 15 years directly focusing in cybersecurity, including computer and network security, advanced threat analysis, intrusion detection and operations, vulnerability risk assessment, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSindone
50%
50%
MarkSindone,
User Rank: Apprentice
7/23/2018 | 10:03:21 PM
Re: Locking Down ICS & Embedded Solutions
Do we have a choice anymore now that attacks are getting even more common nowadays? As long as we are connected, we become vulnerable and are open targets to hackers. There is just so much that the government and we can do and at the end of the day, we are just considered unlucky to have fallen victim to them. There is really no way out if you were to ask me if we wish to prevent the attacks. We just have to accept them and come up with counter measures.
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/13/2018 | 6:52:39 PM
Locking Down ICS & Embedded Solutions
I worked for a time at one of the older process systems manufacturers in Southern California. It was a great learning experience where I got my hands in almost every stage of the development life cycle. As many know of me professionally I am a proponent of open software and hardware. However when it comes to the security of our water and power infrastructure I take a very different stance. While the processes leading up to developing sound ICS may well include open source software or even open hardware in early stages, I feel strongly that the final product must be closed - for both software and hardware - and the system itself be highly proprietary to encourage security.

Encrypting process control firmware and locking down critical steps in the process flow may become a necessity as crackers grow more bold and their tools more sophisticated. System hardening and patch management are key activities and should be audited often. While not all intrusions related to ICS are due to old systems with glaring vulnerabilities, regular reviews of firmware and embedded OS versions and patch levels, analyzing traffic to controllers and reviewing interfaces to field processes with computer-based systems, readout equipment and other instrumentation may help uncover malware or other suspicious activity early.

There are more white papers out there lately regarding this topic from the top manufacturers of ICS tech and hopefully they are being read and recommendations are being implemented. The stakes are too high not to do so.

 

 
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17182
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
CVE-2018-17144
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...