Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/19/2015
12:00 PM
Barak Perelman
Barak Perelman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

And Now, A Cyber Arms Race Towards Critical Infrastructure Attacks

As traditional explosives give way to 'logic bombs,' the need to protect our industrial networks and systems has never been more important.

Over the past several years sophisticated code has been used for nation-state espionage in order to minimize risk to military personnel or costly equipment. Similar techniques are now being applied to the development of next-generation cyber weapons. These will allow troops to remotely launch cyber code designed to destroy physical equipment, cause severe damage to critical infrastructure, and impact not only military targets but also civilian lives.

There is a cyber arms race going on. Nation-states and terrorist organizations are spending billions of dollars to build the cyberbombs. According to U.S. government contractors and former Pentagon officials, a new half-billion-dollar U.S. military contract will sponsor the development of lethal cyberweapons. The goal of this United States Cyber Command project, according to various news reports, is to develop capabilities that will allow troops to launch logic bombs instead of traditional explosives and essentially direct an enemy's critical infrastructure to self-destruct.

While governments and adversaries are investing in the development of cyberarms, very little is being done to protect our critical infrastructure, leaving energy and manufacturing companies, for the most part, to fend for themselves against the growing threat of cyberattacks. Industrial facilities have become attractive targets for several reasons:

  • Industrial processes are part of every nation’s critical infrastructure and therefore a successful attack may cause both physical and psychological damage.
  • Most industrial facilities and networks were designed many years ago, before the threat of cyber-attacks existed. As such, no security controls were implemented to defend operational networks, which contain both design and code vulnerabilities that can be exploited by adversaries.
  • To achieve automation and efficiency improvements, these traditionally disconnected networks have been opened up to the external world and that increases their risk exposure.

The Visibility & Control Challenge
One of the main challenges industrial facilities face is the lack of visibility and security controls over SCADA (Supervisory Control and Data Acquisition) systems, which automate industrial processes and manage remote equipment. Within these systems, the most sensitive and critical elements are the programmable logic controllers (PLCs).

Introduced in the late 1960's, PLCs are dedicated industrial computers that make logic-based decisions to control industrial processes. They are found in every industrial environment, and play a critical role in complex industrial processes like power generation, oil transportation, management of electrical and water utilities and various manufacturing processes. A cyberattack that reaches these controllers, changes their logic, or takes them out of commission, can have devastating physical results.

PLCs are designed to be ruggedized and require little on-going maintenance. Therefore it is not uncommon for PLCs implemented decades ago to still be in operation. Although many documented PLC vulnerabilities can be exploited, most of these are never patched due to stability concerns. Given the complexity of the processes they automate, any disruptions to PLCs can cause downtime, reliability issues or other operational problems.

Since PLCs were deployed decades ago and rarely undergo maintenance, it is virtually impossible to maintain an accurate inventory that details where devices are located and what logic they actually run. In addition, logs commonly used in IT systems to monitor configuration changes or last known good configuration, do not exist in PLCs. As a result, in the event that a cyberattack successfully alters PLCs, there are no efficient recovery mechanisms in place.

Monitoring the network activity and searching for signatures and indicators of compromise has proven challenging as well. The “open architecture” of the Internet age does not exist in industrial networks. Since every industrial equipment vendor implements their own proprietary network technology, most of which are not well documented, it is difficult to understand all the activity on the network.

To add even more complexity, it is common for multiple vendor technologies to be implemented in the same industrial network. This complexity and the lack of adequate monitoring tools create blind spots that can allow sophisticated code, or insiders with malicious intent, to go undetected and compromise PLCs.

Collateral Damage
The threat of cyberweapons goes beyond their direct impact on industrial facilities since successful attacks can produce massive and unintended collateral damage beyond their initial target. That’s because they are attacking a technology that is ubiquitous across the industrial sector. Attack code could easily spread to infrastructures and industries that weren’t originally targeted, yet they would still suffer from its consequences.

Another serious concern is the possibility that these new cyberweapons will end up in the wrong hands, “leaked” by disgruntled employees or through security breaches. It’s worth mentioning that contractors bidding for the United States Cyber Command contract include companies like Boeing and Lockheed Martin, both of which were victims of information theft by Chinese hackers in recent years.

Cyberattacks targeting critical infrastructure are not theoretical; they are real and pose an even greater threat in the wake of new classes of cyberweapons being developed to exploit design issues and vulnerabilities in industrial networks. The lack of security controls and vulnerabilities in PLCs, combined with insufficient visibility and control over operational networks, is a problem that can’t be addressed too soon.

Barak Perelman is CEO of Indegy, an industrial security firm that helps critical infrastructure companies operate efficiently and reliably by protecting against cyberattacks. He is a graduate of Talpiot, the elite Israel Defense Forces (IDF) academy where he led several ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27187
PUBLISHED: 2020-10-26
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
CVE-2020-7752
PUBLISHED: 2020-10-26
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
CVE-2020-7127
PUBLISHED: 2020-10-26
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
CVE-2020-7196
PUBLISHED: 2020-10-26
The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
CVE-2020-7197
PUBLISHED: 2020-10-26
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software 3.7.0.0* U...