Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/12/2018
10:30 AM
Wayne Lloyd
Wayne Lloyd
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

ICS Security: 'The Enemy Is in the Wire'

Threats to industrial control systems are real and frightening. The government is taking steps to keep us safer in the future, but there are near-term steps you can take right now.

"The enemy is in the wire." During the Vietnam War, this call would ring out to alert everyone that the enemy was in the perimeter of fortifications. In our cyber world, we've known this for years; however, the call rang frighteningly true in May of this year.

This particular enemy was first discovered in August 2017, as a new piece of malware, now known as Trisis. A Middle Eastern oil and gas company found the malware when its industrial equipment started shutting down. 

This company, which to date has not been named, called Saudi Aramco to help investigate software found on some of its computer systems. Together with experts from Mandiant, they discovered a new cyber weapon with echoes of Stuxnet, which was used to attack and disable Iran's uranium enrichment plant by making centrifuges spin at self-destructive speeds.

This new cyber weapon, however, was not designed to directly destroy a piece of equipment. It was designed to degrade what is known as a safety instrumented system, commonly used to monitor systems in nuclear power plants and oil and gas refineries. If Trisis had worked, the equipment would have gone past redline, creating catastrophic damage and potential loss of life. However, the creators of Trisis made a mistake, and the safety systems worked to shut down the equipment.

Now fast forward to May 2018. Researchers at startup Dragos announce that Trisis has been modified, infecting other safety instrumented systems. The shocking part is that this version of Trisis wasn't found in Middle East industrial systems, but in industrial systems inside the United States. The enemy is now truly in the wire.

What would happen if an industrial control system (ICS) were attacked and destroyed? We don't have to speculate. In December 2015, the Ukrainian power grid was disabled by malware called Crash Override. The Ukrainian grid was compromised by a phishing attack that originated in the IT system and jumped into the operational technology (OT) system. Researchers believe it was part of the Russian campaign to annex the Crimean Peninsula. That's a real-world example. But long-term outages will lead to consequences that the civilian population of a modernized country can't handle well, according to the Defense Science Board Task Force on Resilient Military Systems and the Advanced Cyber Threat report.

Taking out the grid would be painful, but the grid can be brought back online. To really cripple large parts of the US, enemies could target our massive electricity-producing generators, which are made in China and India. Electric companies don't keep spares on hand, and it can take a year to build one. In World War II, we started bombing the factories instead of going after the finished planes on runways. If you take out the means of production, the rest goes downhill rapidly. If the generators are destroyed by compromising safety instrumented systems, it would indeed go badly for the population.

For example, in the many months it would take to get replacements from China or India, food and medicine distribution systems would become ineffective. Grocery stores typically only keep enough food on hand for three days. Without power, air conditioning and heat will not work, which can be deadly to the young and elderly. Traffic systems would be disabled, causing gridlock and preventing needed supplies and help from reaching those in need. Law enforcement and emergency personnel capabilities would be barely functional in the short term and become dysfunctional over sustained periods. Our military would have to be diverted to help the homeland civilian population. If timed right, a nation-state would be able to take advantage of allies that depend on US military support for their defense. The end results are truly dire. 

Because of this scenario, the US government is taking strategic steps to help counter the threats to the nation's critical infrastructure. The Department of Homeland Security has a program called the Apex Next Generation Cyber Infrastructure, which according to its website, "addresses the challenges facing our nation's critical infrastructure sectors, enabling infrastructure to operate effectively, even in the face of sophisticated, targeted cyberattacks." Similarly, the Department of Energy (DOE) in March 2018 released its Multiyear Plan for Energy Sector Cybersecurity, detailing its own cyber strategies. Both are long-term efforts; the DOE plans will be fully in place in four years. 

Meanwhile, there are near-term things that can be done to improve the security of industrial systems:

  • A full accounting of what is on OT and IT systems should be done first, to identify what is present, how the identified systems are configured, and how they can pass data throughout the network.
  • Then organizations can identify ICS and network devices that should be decommissioned and replaced with new and more secure devices.
  • Next, organizations should implement network segmentation, where possible.

Obviously, this is not foolproof, but it does add more complexity that attackers must overcome in order to compromise an ICS. More time could lead to them being caught before they can compromise anything. 

This is intensive work, but it is work that must be done in order to determine what is most at risk. Companies can and should take steps to make their OT and IT systems resilient. What is a resilient system from a cybersecurity perspective? It is a system that is hard to hit, can detect incidents immediately, and can respond rapidly. The foundation for resilience is first knowing your environment completely.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Wayne Lloyd has over 25 years of field experience in information technology, with the last 15 years directly focusing in cybersecurity, including computer and network security, advanced threat analysis, intrusion detection and operations, vulnerability risk assessment, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/13/2018 | 6:52:39 PM
Locking Down ICS & Embedded Solutions
I worked for a time at one of the older process systems manufacturers in Southern California. It was a great learning experience where I got my hands in almost every stage of the development life cycle. As many know of me professionally I am a proponent of open software and hardware. However when it comes to the security of our water and power infrastructure I take a very different stance. While the processes leading up to developing sound ICS may well include open source software or even open hardware in early stages, I feel strongly that the final product must be closed - for both software and hardware - and the system itself be highly proprietary to encourage security.

Encrypting process control firmware and locking down critical steps in the process flow may become a necessity as crackers grow more bold and their tools more sophisticated. System hardening and patch management are key activities and should be audited often. While not all intrusions related to ICS are due to old systems with glaring vulnerabilities, regular reviews of firmware and embedded OS versions and patch levels, analyzing traffic to controllers and reviewing interfaces to field processes with computer-based systems, readout equipment and other instrumentation may help uncover malware or other suspicious activity early.

There are more white papers out there lately regarding this topic from the top manufacturers of ICS tech and hopefully they are being read and recommendations are being implemented. The stakes are too high not to do so.

 

 
MarkSindone
50%
50%
MarkSindone,
User Rank: Moderator
7/23/2018 | 10:03:21 PM
Re: Locking Down ICS & Embedded Solutions
Do we have a choice anymore now that attacks are getting even more common nowadays? As long as we are connected, we become vulnerable and are open targets to hackers. There is just so much that the government and we can do and at the end of the day, we are just considered unlucky to have fallen victim to them. There is really no way out if you were to ask me if we wish to prevent the attacks. We just have to accept them and come up with counter measures.
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25329
PUBLISHED: 2021-03-01
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previousl...
CVE-2021-25122
PUBLISHED: 2021-03-01
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request...
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.