Vulnerabilities / Threats //

Advanced Threats

9/23/2014
05:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

ISIS Cyber Threat To US Under Debate

ICS/SCADA systems and networks hackable but not easily cyber-sabotaged without industrial engineering know-how, experts say.

Amid fresh threats by ISIS against the US and its allies this week, worries of what the well-financed and social-media savvy militant group could do in the cyber realm has triggered debate over whether ISIS ultimately could or would disrupt US critical infrastructure networks.

ISIS has made no specific threats to US critical infrastructure, and no one knows for sure whether the militant group has any plans for a cyber attack against US interests or even the technical capabilities to pull it off. Even so, US officials are keeping a watchful eye on ISIS' movements in the digital realm:  NSA director Michael Rogers last week hinted that the agency is monitoring this. "We need to assume there is a cyber dimension in every area we deal with," Rogers said in a speech at a Washington conference.

Meanwhile, ICS/SCADA security experts dismiss dire predictions in some circles that ISIS -- or any other group -- could ultimately "take down" or significantly disrupt the US power grid via a distributed denial-of-service (DDoS) or other type of cyber attack. "The power grid isn't something you send a command to and it crashes. It has survived" nature and other events over the years, says Eric Byres, CTO and vice president of engineering at Belden's Tofino Security Products. "Even with the attack on the substation in Metcalf, Calif., the power stayed up," he says, referring to the bizarre April 2013 sniper attack there that took out 17 transformers.

The power grid is highly distributed and built with Mother Nature's fickle whims in mind, with plenty of redundancy and backup. "What is often lost is that this industry understands in a real way what's resilient. They know there are going to be equipment failures, [and] Mother Nature," says Patrick Miller, founder, director, and president emeritus of Energysec.org. "It's virtually impossible to cause a widespread outage."

Former US Department of Homeland Security counterterrorism official John Cohen says ISIS's preferred and flashy use of social media for recruitment, its graphic video productions of hostage executions, and its ability thus far to amass significant funding -- hundreds of millions of dollars by some estimates -- make ISIS a potential cyber attack threat. Cohen says he's not seen any information suggesting ISIS is targeting the US power grid.

"I would be concerned if they were able to attract" cyber experts who could execute cyber attacks, says Cohen, who is chief strategy advisor at Encryptics. "From the standpoint of a security person, even if I don't have specific intel about a specific threat or plot underway, I have to look at all factors if I'm going to be prudent and establish the capacity to mitigate this type of threat."

Concerns over ISIS's cyber capabilities recently were raised publicly by some former government officials. Peter Pry, executive director of the Task Force on National and Homeland Security, told multiple media outlets that ISIS has made contact with a major Mexican drug cartel that once took down a power grid in its native Mexico, and the US should prepare for such a threat.

The ICS/SCADA community considers nation-states or other technically sophisticated attackers the main threat to industrial systems and plants. There are plenty of weaknesses in the security chain of ICS/SCADA environments, so hacking into an ICS system that runs centrifuges or other processing equipment is possible. But inflicting real damage on a plant, such as forcing centrifuges to slow or speed up dramatically, would require inside knowledge of the plant as well as plenty of engineering know-how, notes Dale Peterson, founder and CEO of Digital Bond.

"What we see that's misunderstood is the engineering and automation skills needed to do real damage. We've seen these things are fragile and insecure … It's not difficult to gain access to many critical infrastructure systems -- a simple spear [phishing exploit] and pivot" can crash a control system, for instance, he says.

But real physical damage would require engineering expertise, such as understanding how the targeted centrifuges operate, Peterson says. "But if you get the right team, with an engineer who understands how to program it, and a hacker, then it's not that hard to do" damage, he says.

Renowned Stuxnet expert Ralph Langner says he doesn't believe ISIS would spend its time and money on cyber attacks against the US power grid when it appears to prefer more violent acts against people. Plus, the power grid would be less of a terror target than say, a chemical plant, which could potentially incur more physical damage and casualties, he says.

Those sites are vulnerable to a sophisticated attacker, says Langner, founder of Langner Communications. There's a misconception in some of those sites that the safety logic in their systems protects against cyber attacks, he says. "That's nonsense," Langner says. A station controller system may be able to shut down a plant in a safe manner, but that doesn't mean it can't be hacked by a sophisticated nation-state actor, he notes.

Craig Guiliano, senior threat specialist at security consultancy TSC Advantage, considers ISIS a legitimate cyber threat, pointing to reported claims of ISIS building a "cyber caliphate" and its own encrypted software. "They are pouring money into developing that type of cyber offensive capability," Guiliano says. "They have made good on their promises … If there's any group on the world stage where you have to take them at their word, it would be ISIS."

Too-soft software
The bottom line is that most software has flaws that attackers can exploit, and ICS/SCADA systems in power plants, manufacturing sites, and other utilities run vulnerable systems, security experts say. "Whether ISIS has the means to pull off something is an open question. What is clear is that fundamentally, all software can be hacked," says Andrew Ginter, vice president of industrial security at Waterfall Security.

Some major ICS/SCADA vendors are getting better about issuing fixes for software flaws, but the actual patching of ICS/SCADA systems remains the exception rather than the rule. Industrial plant operators are often hesitant to apply patches -- or make any software changes -- for fear of disrupting operations, which is the priority in manufacturing, power-plant generation, and other industrial environments.

"Every change to software is a threat to safety and reliability" of the plant, Ginter says.

Take Belden's Tofino Security, which four years ago offered a free upgrade to its Tofino Industrial Security System version 1.6 that included a security patch to all users -- even those not under a support contract -- who downloaded it within 30 days. "After 30 days, nobody was downloading it," recalls Belden's Byres, so the company reached out by email and added another 30 days to the offer. "It was super-frustrating for us," he says, after under a third of them ultimately downloaded it after two months.

"We're not sure if anyone installed" the patch, he says. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/24/2014 | 4:22:00 PM
Re: The unmeasurable threat
It's  difficult to predict what cybercrimes a westerner would be recruited to  perform for ISIS, though we know for sure that some of it is creating web videos and dissiminating them via social media. What's harder to understand is the process that turns an individual into a jihadist who carries out horrific acts.  There has been a lot of ink spilled about the Boston marathon bombers  -- and maybe we will get a better sense after the trial of  Dzhokhar Tsarnaev. But now I'm as clueless as ever about how and why these things happen.
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/24/2014 | 3:39:21 PM
Re: The unmeasurable threat
It has yet to be determined what ISIS would want from the cyber-community other than support.  I am sure they would accept any help for their cause as long as it causes problems for their enemies.

When it comes to hacktivism it may not be that ISIS is good at recruiting as much as other misguided souls decide that the defiance that ISIS has toward western developed countries is in line with their ideologies and/or goals.  What is difficult to predict is what activities or information may fan the fires of dissent and cause such people to act in the name of or in league with ISIS.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/24/2014 | 1:17:34 PM
Re: PRISM
Tapping cables won't necessarily catch an insider threat/pilfered credentials of an authorized insider.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
9/24/2014 | 1:04:52 PM
PRISM
It's a little surprising that the US is worried about potential ISIS security threats. It's previously made claims that the PRISM scheme and other NSA snooping measures are in place to prevent terrorism, be it real world or digital.

Of course we know that that isn't necessarily the case, but surely with that sort of comprehensive tracking system in place, any sort of attack could be instantly spotted and tracked to its source? Otherwise what's the point of tapping into cables and suffering through all the public outcry? 
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
9/24/2014 | 11:47:17 AM
Re: The unmeasurable threat
One thing I didn't go into in my story that I've been thinking about and talking to experts about is how ISIS uses social media to recruit and reach out, and how that could be an avenue for recruiting DDoS participants, kind of how Anonymous did in its hacktivist campaigns. It was easy for Anon to get LOIC recruits for DDoS attacks, so it makes you wonder if the same would be true for ISIS or another terror group to do via social media. Then again, the question is whether DDoS really fits ISIS's MO.
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/24/2014 | 8:37:50 AM
The unmeasurable threat
As real as the ISIS threat is, there is another real threat that is hard to measure and predict until it happens.

Hacktivism is a relatively new threat on the cyberwar landscape.  There are citizens of other countries that may find reason to support the ISIS cause OR fall into that "the enemy of my enemy" mentality.  Depending on how well the ISIS campaign is conducted, this threat may be nothing, or it may boil into a completely different and unexpected cyber campaign.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
9/24/2014 | 2:11:55 AM
ISIS is a concrete cyber threat
I have no doubts, the ISIS is a concrete cyber threat and has the necessary skills and capabilities to conduct a major cyber attack against Western critical infrastructure.

ISIS members have the real perception of the effects of a cyber attacks and how to conduct it. We must be prepared and evaluate carefully the real security level of our infrastructure, unfortunately many security researchers have demonstrated over the years that is too easy to locate over the internet a vulnerable system and exploit it in a cyber offensive.

Consider also that we are approaching cyber warfare matter, the conflicts are instantaneous in nature and asymmetric, impossible to predict and with objective difficulties for related attribution.

Never let the guard down ... the enemy is ready!
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.