Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/22/2015
10:30 AM
Eric D. Knapp
Eric D. Knapp
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Industrial Cyber Myth: Its No Fantasy

As threats become more sophisticated, the industry is still playing catch-up.

New cyber threats materialize every day, getting more frequent and more sophisticated.  We all know about the game-changing Stuxnet cyberattack on Iran’s nuclear facilities back in 2010, but there’s no need to look that far back. A much shorter look back to 2014 will show us far worse: increasingly sophisticated attacks such as Flame, Shamoon and Havex that are as equally worrisome as “the Big S.” 

Let’s face it: malware today is quality stuff, polymorphic and highly intelligent. 

Unfortunately, targeted attacks on critical infrastructure rarely make it to the news, and so they are shrouded in mystery to the point where some may even call them mythic. 

There have been incidents, however -- major ones. Within just the past year we’ve seen multiple cyber espionage campaigns, including Dragonfly and Black Energy. We’ve seen physical damage occur as the result of a cyber incident, in the case of a German steel mill, widely reported in Wired and other media early this year, where “massive” damage resulted from a cyberattack that prevented the proper shut down of a blast furnace, according to a German report .

The “advanced threat” continues to evolve.  Newer malware has even been able to successfully breach a leading cyber security research lab. Duqu 2.0, which was discovered earlier this summer by Kaspersky Lab, has taken the title and is now being lauded as the “the most sophisticated malware ever seen.”  The cyber-espionage tool was authored by the same team responsible for the original Duqu, which in turn is believed to be a variant of that original Iranian-enrichment-debilitating media darling that threated industrial control environments back in 2010.

We’ve seen three targeted espionage campaigns against industrial environments that I know of; undoubtedly there are more.  Why is espionage so scary? Because espionage is used to gather intelligence that is needed to engineer targeted attacks.

This year at the 2015 Black Hat USA conference, we heard about how to cause physical damage through cyber means from some of the best.  Jason Larsen of IOActive  demonstrated how compromising a process control system is only the start of the work: it’s the physics of the process that can translate cyber manipulation to physical damage. To engineer a cyber-physical attack, you need a lot of information about the control system itself: the assets, parameters and measurements.

Getting back to Dragonfly, it seemed harmless enough: it only scanned the control system, collecting data about the process including assets and parameters.

Even more disturbing, as cybercrime advisor Raj Samani, pointed out at a Honeywell User Group Conference in San Antonio, while information stolen from most espionage campaigns surfaces on the black market, the information stolen by Dragonfly doesn’t seem to have surfaced yet. There’s no way to predict what it’s being used for, if anything. But those who’ve worked in security for a while can’t help but speculate: if understanding the details of a compromised control system is the first step in a difficult attack process; a targeted attack therefore seems the inevitable end result.

The threats are getting more sophisticated as attackers  continue to attempt to manipulate compromised industrial control systems in order to cause physical damage.  Meanwhile, the industry is just playing catch-up.

If we continue to treat the industrial cyber threat as a thing of myth and legend, it will only make the problem more real.

Eric D. Knapp is Global Director of Cyber Security Solutions and Technology for Honeywell Process Solutions. Eric is a recognized expert in industrial control systems cyber security. He is the author of "Industrial Network Security: Securing Critical Infrastructure Networks ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
hojtfredrik
50%
50%
hojtfredrik,
User Rank: Apprentice
1/12/2016 | 6:06:41 AM
Ransomware
One thing is the actual incidents, another thing is the unknown extortion demands that don't reach the media. Even if an attacker "just" show that they can enter and read data doesn't mean that the financial harm can't be substantial. Today, everyone is (or should be) aware of the damage leaked emails can do, for instance highlighted by the Sony Entertainment hack. How much will anyone willingly pay to avoid that? And how much would someone pay to avoid a factory break down like the German incident?
PaulFerrillo
50%
50%
PaulFerrillo,
User Rank: Apprentice
1/3/2016 | 7:04:36 PM
Re: Best Practices
Like IoT device, cannot ICS and SCADA systems be red-teamed to death in order to discover critical vulnerabilities that might exist? Before someone takes advantage of them.  ICS devices are here to stay.  Its what we do with them and how we monitor and assess their cybersecurity and vulnerability that matters.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2015 | 10:43:10 AM
Re: Best Practices
I agree with deep monitoring and defense in depth but new malware has evolved to the point where there are layers and layers of obfuscation. Making malware very transparent in most cases. IE: GlassRAT
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/30/2015 | 10:37:32 AM
Re: Source and motive
"... a government source/backer, then the information wouldn't surface on the black market ..."

I hear you. You never know, the governments may expose it into black market if it targets specific countries. :--)))
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2015 | 10:36:44 AM
Re: England Rugby Team 2016
Seems to be the case.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/30/2015 | 10:34:54 AM
Re: England Rugby Team 2016
What is the point. Another advertisement? 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/30/2015 | 10:32:45 AM
Re: Best Practices
"... specific security safeguards and best practices..."

I think it starts with a deep monitoring of your environment and doing analytics on the logs. I doubt that there would be a specific safeguard that can help, it should be levels of countermeasures.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/30/2015 | 10:29:23 AM
Pharmaceuticals?
It makes sense that being the target. Any piece of information could be used in many different ways as long as it relates to pharmaceuticals. Clinical trials and other things have high rate of ROI.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/28/2015 | 12:49:02 PM
Source and motive
It really depends upon who is behind the attacks.  If Dragonfly, for instance, had a government source/backer, then the information wouldn't surface on the black market because it's not being used for immediate monetary gain -- and one can speculate as to whether or not that makes one feel better or worse about the breach of their information.
MuhammadA222
50%
50%
MuhammadA222,
User Rank: Apprentice
12/22/2015 | 2:21:28 PM
England Rugby Team 2016
Getting back to Dragonfly, it seemed harmless enough: it only scanned the control system, collecting data about the process including assets and parameters. 

 


<a href="https://www.youtube.com/watch?v=4wZAoybB1_Q">England Rugby Team 2016</a>
Page 1 / 2   >   >>
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12272
PUBLISHED: 2019-05-23
In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.
CVE-2019-12300
PUBLISHED: 2019-05-23
Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim.
CVE-2017-15029
PUBLISHED: 2019-05-23
Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF.
CVE-2017-15030
PUBLISHED: 2019-05-23
Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
CVE-2017-15652
PUBLISHED: 2019-05-23
Artifex Ghostscript 9.22 is affected by: Obtain Information. The impact is: obtain sensitive information. The component is: affected source code file, affected function, affected executable, affected libga (imagemagick used that). The attack vector is: Someone must open a postscript file though ghos...