Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/19/2015
12:00 PM
Barak Perelman
Barak Perelman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

And Now, A Cyber Arms Race Towards Critical Infrastructure Attacks

As traditional explosives give way to 'logic bombs,' the need to protect our industrial networks and systems has never been more important.

Over the past several years sophisticated code has been used for nation-state espionage in order to minimize risk to military personnel or costly equipment. Similar techniques are now being applied to the development of next-generation cyber weapons. These will allow troops to remotely launch cyber code designed to destroy physical equipment, cause severe damage to critical infrastructure, and impact not only military targets but also civilian lives.

There is a cyber arms race going on. Nation-states and terrorist organizations are spending billions of dollars to build the cyberbombs. According to U.S. government contractors and former Pentagon officials, a new half-billion-dollar U.S. military contract will sponsor the development of lethal cyberweapons. The goal of this United States Cyber Command project, according to various news reports, is to develop capabilities that will allow troops to launch logic bombs instead of traditional explosives and essentially direct an enemy's critical infrastructure to self-destruct.

While governments and adversaries are investing in the development of cyberarms, very little is being done to protect our critical infrastructure, leaving energy and manufacturing companies, for the most part, to fend for themselves against the growing threat of cyberattacks. Industrial facilities have become attractive targets for several reasons:

  • Industrial processes are part of every nation’s critical infrastructure and therefore a successful attack may cause both physical and psychological damage.
  • Most industrial facilities and networks were designed many years ago, before the threat of cyber-attacks existed. As such, no security controls were implemented to defend operational networks, which contain both design and code vulnerabilities that can be exploited by adversaries.
  • To achieve automation and efficiency improvements, these traditionally disconnected networks have been opened up to the external world and that increases their risk exposure.

The Visibility & Control Challenge
One of the main challenges industrial facilities face is the lack of visibility and security controls over SCADA (Supervisory Control and Data Acquisition) systems, which automate industrial processes and manage remote equipment. Within these systems, the most sensitive and critical elements are the programmable logic controllers (PLCs).

Introduced in the late 1960's, PLCs are dedicated industrial computers that make logic-based decisions to control industrial processes. They are found in every industrial environment, and play a critical role in complex industrial processes like power generation, oil transportation, management of electrical and water utilities and various manufacturing processes. A cyberattack that reaches these controllers, changes their logic, or takes them out of commission, can have devastating physical results.

PLCs are designed to be ruggedized and require little on-going maintenance. Therefore it is not uncommon for PLCs implemented decades ago to still be in operation. Although many documented PLC vulnerabilities can be exploited, most of these are never patched due to stability concerns. Given the complexity of the processes they automate, any disruptions to PLCs can cause downtime, reliability issues or other operational problems.

Since PLCs were deployed decades ago and rarely undergo maintenance, it is virtually impossible to maintain an accurate inventory that details where devices are located and what logic they actually run. In addition, logs commonly used in IT systems to monitor configuration changes or last known good configuration, do not exist in PLCs. As a result, in the event that a cyberattack successfully alters PLCs, there are no efficient recovery mechanisms in place.

Monitoring the network activity and searching for signatures and indicators of compromise has proven challenging as well. The “open architecture” of the Internet age does not exist in industrial networks. Since every industrial equipment vendor implements their own proprietary network technology, most of which are not well documented, it is difficult to understand all the activity on the network.

To add even more complexity, it is common for multiple vendor technologies to be implemented in the same industrial network. This complexity and the lack of adequate monitoring tools create blind spots that can allow sophisticated code, or insiders with malicious intent, to go undetected and compromise PLCs.

Collateral Damage
The threat of cyberweapons goes beyond their direct impact on industrial facilities since successful attacks can produce massive and unintended collateral damage beyond their initial target. That’s because they are attacking a technology that is ubiquitous across the industrial sector. Attack code could easily spread to infrastructures and industries that weren’t originally targeted, yet they would still suffer from its consequences.

Another serious concern is the possibility that these new cyberweapons will end up in the wrong hands, “leaked” by disgruntled employees or through security breaches. It’s worth mentioning that contractors bidding for the United States Cyber Command contract include companies like Boeing and Lockheed Martin, both of which were victims of information theft by Chinese hackers in recent years.

Cyberattacks targeting critical infrastructure are not theoretical; they are real and pose an even greater threat in the wake of new classes of cyberweapons being developed to exploit design issues and vulnerabilities in industrial networks. The lack of security controls and vulnerabilities in PLCs, combined with insufficient visibility and control over operational networks, is a problem that can’t be addressed too soon.

Barak Perelman is CEO of Indegy, an industrial security firm that helps critical infrastructure companies operate efficiently and reliably by protecting against cyberattacks. He is a graduate of Talpiot, the elite Israel Defense Forces (IDF) academy where he led several ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26077
PUBLISHED: 2021-05-10
Broken Authentication in Atlassian Connect Spring Boot (ACSB) in version 1.1.0 before 2.1.3 and from version 2.1.4 before 2.1.5: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring...
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.