Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/19/2015
12:00 PM
Barak Perelman
Barak Perelman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

And Now, A Cyber Arms Race Towards Critical Infrastructure Attacks

As traditional explosives give way to 'logic bombs,' the need to protect our industrial networks and systems has never been more important.

Over the past several years sophisticated code has been used for nation-state espionage in order to minimize risk to military personnel or costly equipment. Similar techniques are now being applied to the development of next-generation cyber weapons. These will allow troops to remotely launch cyber code designed to destroy physical equipment, cause severe damage to critical infrastructure, and impact not only military targets but also civilian lives.

There is a cyber arms race going on. Nation-states and terrorist organizations are spending billions of dollars to build the cyberbombs. According to U.S. government contractors and former Pentagon officials, a new half-billion-dollar U.S. military contract will sponsor the development of lethal cyberweapons. The goal of this United States Cyber Command project, according to various news reports, is to develop capabilities that will allow troops to launch logic bombs instead of traditional explosives and essentially direct an enemy's critical infrastructure to self-destruct.

While governments and adversaries are investing in the development of cyberarms, very little is being done to protect our critical infrastructure, leaving energy and manufacturing companies, for the most part, to fend for themselves against the growing threat of cyberattacks. Industrial facilities have become attractive targets for several reasons:

  • Industrial processes are part of every nation’s critical infrastructure and therefore a successful attack may cause both physical and psychological damage.
  • Most industrial facilities and networks were designed many years ago, before the threat of cyber-attacks existed. As such, no security controls were implemented to defend operational networks, which contain both design and code vulnerabilities that can be exploited by adversaries.
  • To achieve automation and efficiency improvements, these traditionally disconnected networks have been opened up to the external world and that increases their risk exposure.

The Visibility & Control Challenge
One of the main challenges industrial facilities face is the lack of visibility and security controls over SCADA (Supervisory Control and Data Acquisition) systems, which automate industrial processes and manage remote equipment. Within these systems, the most sensitive and critical elements are the programmable logic controllers (PLCs).

Introduced in the late 1960's, PLCs are dedicated industrial computers that make logic-based decisions to control industrial processes. They are found in every industrial environment, and play a critical role in complex industrial processes like power generation, oil transportation, management of electrical and water utilities and various manufacturing processes. A cyberattack that reaches these controllers, changes their logic, or takes them out of commission, can have devastating physical results.

PLCs are designed to be ruggedized and require little on-going maintenance. Therefore it is not uncommon for PLCs implemented decades ago to still be in operation. Although many documented PLC vulnerabilities can be exploited, most of these are never patched due to stability concerns. Given the complexity of the processes they automate, any disruptions to PLCs can cause downtime, reliability issues or other operational problems.

Since PLCs were deployed decades ago and rarely undergo maintenance, it is virtually impossible to maintain an accurate inventory that details where devices are located and what logic they actually run. In addition, logs commonly used in IT systems to monitor configuration changes or last known good configuration, do not exist in PLCs. As a result, in the event that a cyberattack successfully alters PLCs, there are no efficient recovery mechanisms in place.

Monitoring the network activity and searching for signatures and indicators of compromise has proven challenging as well. The “open architecture” of the Internet age does not exist in industrial networks. Since every industrial equipment vendor implements their own proprietary network technology, most of which are not well documented, it is difficult to understand all the activity on the network.

To add even more complexity, it is common for multiple vendor technologies to be implemented in the same industrial network. This complexity and the lack of adequate monitoring tools create blind spots that can allow sophisticated code, or insiders with malicious intent, to go undetected and compromise PLCs.

Collateral Damage
The threat of cyberweapons goes beyond their direct impact on industrial facilities since successful attacks can produce massive and unintended collateral damage beyond their initial target. That’s because they are attacking a technology that is ubiquitous across the industrial sector. Attack code could easily spread to infrastructures and industries that weren’t originally targeted, yet they would still suffer from its consequences.

Another serious concern is the possibility that these new cyberweapons will end up in the wrong hands, “leaked” by disgruntled employees or through security breaches. It’s worth mentioning that contractors bidding for the United States Cyber Command contract include companies like Boeing and Lockheed Martin, both of which were victims of information theft by Chinese hackers in recent years.

Cyberattacks targeting critical infrastructure are not theoretical; they are real and pose an even greater threat in the wake of new classes of cyberweapons being developed to exploit design issues and vulnerabilities in industrial networks. The lack of security controls and vulnerabilities in PLCs, combined with insufficient visibility and control over operational networks, is a problem that can’t be addressed too soon.

Barak Perelman is CEO of Indegy, an industrial security firm that helps critical infrastructure companies operate efficiently and reliably by protecting against cyberattacks. He is a graduate of Talpiot, the elite Israel Defense Forces (IDF) academy where he led several ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...
CVE-2017-10723
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows it...