Attacks/Breaches

7/12/2018
10:30 AM
Wayne Lloyd
Wayne Lloyd
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

ICS Security: 'The Enemy Is in the Wire'

Threats to industrial control systems are real and frightening. The government is taking steps to keep us safer in the future, but there are near-term steps you can take right now.

"The enemy is in the wire." During the Vietnam War, this call would ring out to alert everyone that the enemy was in the perimeter of fortifications. In our cyber world, we've known this for years; however, the call rang frighteningly true in May of this year.

This particular enemy was first discovered in August 2017, as a new piece of malware, now known as Trisis. A Middle Eastern oil and gas company found the malware when its industrial equipment started shutting down. 

This company, which to date has not been named, called Saudi Aramco to help investigate software found on some of its computer systems. Together with experts from Mandiant, they discovered a new cyber weapon with echoes of Stuxnet, which was used to attack and disable Iran's uranium enrichment plant by making centrifuges spin at self-destructive speeds.

This new cyber weapon, however, was not designed to directly destroy a piece of equipment. It was designed to degrade what is known as a safety instrumented system, commonly used to monitor systems in nuclear power plants and oil and gas refineries. If Trisis had worked, the equipment would have gone past redline, creating catastrophic damage and potential loss of life. However, the creators of Trisis made a mistake, and the safety systems worked to shut down the equipment.

Now fast forward to May 2018. Researchers at startup Dragos announce that Trisis has been modified, infecting other safety instrumented systems. The shocking part is that this version of Trisis wasn't found in Middle East industrial systems, but in industrial systems inside the United States. The enemy is now truly in the wire.

What would happen if an industrial control system (ICS) were attacked and destroyed? We don't have to speculate. In December 2015, the Ukrainian power grid was disabled by malware called Crash Override. The Ukrainian grid was compromised by a phishing attack that originated in the IT system and jumped into the operational technology (OT) system. Researchers believe it was part of the Russian campaign to annex the Crimean Peninsula. That's a real-world example. But long-term outages will lead to consequences that the civilian population of a modernized country can't handle well, according to the Defense Science Board Task Force on Resilient Military Systems and the Advanced Cyber Threat report.

Taking out the grid would be painful, but the grid can be brought back online. To really cripple large parts of the US, enemies could target our massive electricity-producing generators, which are made in China and India. Electric companies don't keep spares on hand, and it can take a year to build one. In World War II, we started bombing the factories instead of going after the finished planes on runways. If you take out the means of production, the rest goes downhill rapidly. If the generators are destroyed by compromising safety instrumented systems, it would indeed go badly for the population.

For example, in the many months it would take to get replacements from China or India, food and medicine distribution systems would become ineffective. Grocery stores typically only keep enough food on hand for three days. Without power, air conditioning and heat will not work, which can be deadly to the young and elderly. Traffic systems would be disabled, causing gridlock and preventing needed supplies and help from reaching those in need. Law enforcement and emergency personnel capabilities would be barely functional in the short term and become dysfunctional over sustained periods. Our military would have to be diverted to help the homeland civilian population. If timed right, a nation-state would be able to take advantage of allies that depend on US military support for their defense. The end results are truly dire. 

Because of this scenario, the US government is taking strategic steps to help counter the threats to the nation's critical infrastructure. The Department of Homeland Security has a program called the Apex Next Generation Cyber Infrastructure, which according to its website, "addresses the challenges facing our nation's critical infrastructure sectors, enabling infrastructure to operate effectively, even in the face of sophisticated, targeted cyberattacks." Similarly, the Department of Energy (DOE) in March 2018 released its Multiyear Plan for Energy Sector Cybersecurity, detailing its own cyber strategies. Both are long-term efforts; the DOE plans will be fully in place in four years. 

Meanwhile, there are near-term things that can be done to improve the security of industrial systems:

  • A full accounting of what is on OT and IT systems should be done first, to identify what is present, how the identified systems are configured, and how they can pass data throughout the network.
  • Then organizations can identify ICS and network devices that should be decommissioned and replaced with new and more secure devices.
  • Next, organizations should implement network segmentation, where possible.

Obviously, this is not foolproof, but it does add more complexity that attackers must overcome in order to compromise an ICS. More time could lead to them being caught before they can compromise anything. 

This is intensive work, but it is work that must be done in order to determine what is most at risk. Companies can and should take steps to make their OT and IT systems resilient. What is a resilient system from a cybersecurity perspective? It is a system that is hard to hit, can detect incidents immediately, and can respond rapidly. The foundation for resilience is first knowing your environment completely.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Wayne Lloyd has over 25 years of field experience in information technology, with the last 15 years directly focusing in cybersecurity, including computer and network security, advanced threat analysis, intrusion detection and operations, vulnerability risk assessment, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/13/2018 | 6:52:39 PM
Locking Down ICS & Embedded Solutions
I worked for a time at one of the older process systems manufacturers in Southern California. It was a great learning experience where I got my hands in almost every stage of the development life cycle. As many know of me professionally I am a proponent of open software and hardware. However when it comes to the security of our water and power infrastructure I take a very different stance. While the processes leading up to developing sound ICS may well include open source software or even open hardware in early stages, I feel strongly that the final product must be closed - for both software and hardware - and the system itself be highly proprietary to encourage security.

Encrypting process control firmware and locking down critical steps in the process flow may become a necessity as crackers grow more bold and their tools more sophisticated. System hardening and patch management are key activities and should be audited often. While not all intrusions related to ICS are due to old systems with glaring vulnerabilities, regular reviews of firmware and embedded OS versions and patch levels, analyzing traffic to controllers and reviewing interfaces to field processes with computer-based systems, readout equipment and other instrumentation may help uncover malware or other suspicious activity early.

There are more white papers out there lately regarding this topic from the top manufacturers of ICS tech and hopefully they are being read and recommendations are being implemented. The stakes are too high not to do so.

 

 
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-5067
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Heap Overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.