New cyber threats materialize every day, getting more frequent and more sophisticated. We all know about the game-changing Stuxnet cyberattack on Iran’s nuclear facilities back in 2010, but there’s no need to look that far back. A much shorter look back to 2014 will show us far worse: increasingly sophisticated attacks such as Flame, Shamoon and Havex that are as equally worrisome as “the Big S.”
Let’s face it: malware today is quality stuff, polymorphic and highly intelligent.
Unfortunately, targeted attacks on critical infrastructure rarely make it to the news, and so they are shrouded in mystery to the point where some may even call them mythic.
There have been incidents, however -- major ones. Within just the past year we’ve seen multiple cyber espionage campaigns, including Dragonfly and Black Energy. We’ve seen physical damage occur as the result of a cyber incident, in the case of a German steel mill, widely reported in Wired and other media early this year, where “massive” damage resulted from a cyberattack that prevented the proper shut down of a blast furnace, according to a German report .
The “advanced threat” continues to evolve. Newer malware has even been able to successfully breach a leading cyber security research lab. Duqu 2.0, which was discovered earlier this summer by Kaspersky Lab, has taken the title and is now being lauded as the “the most sophisticated malware ever seen.” The cyber-espionage tool was authored by the same team responsible for the original Duqu, which in turn is believed to be a variant of that original Iranian-enrichment-debilitating media darling that threated industrial control environments back in 2010.
We’ve seen three targeted espionage campaigns against industrial environments that I know of; undoubtedly there are more. Why is espionage so scary? Because espionage is used to gather intelligence that is needed to engineer targeted attacks.
This year at the 2015 Black Hat USA conference, we heard about how to cause physical damage through cyber means from some of the best. Jason Larsen of IOActive demonstrated how compromising a process control system is only the start of the work: it’s the physics of the process that can translate cyber manipulation to physical damage. To engineer a cyber-physical attack, you need a lot of information about the control system itself: the assets, parameters and measurements.
Getting back to Dragonfly, it seemed harmless enough: it only scanned the control system, collecting data about the process including assets and parameters.
Even more disturbing, as cybercrime advisor Raj Samani, pointed out at a Honeywell User Group Conference in San Antonio, while information stolen from most espionage campaigns surfaces on the black market, the information stolen by Dragonfly doesn’t seem to have surfaced yet. There’s no way to predict what it’s being used for, if anything. But those who’ve worked in security for a while can’t help but speculate: if understanding the details of a compromised control system is the first step in a difficult attack process; a targeted attack therefore seems the inevitable end result.
The threats are getting more sophisticated as attackers continue to attempt to manipulate compromised industrial control systems in order to cause physical damage. Meanwhile, the industry is just playing catch-up.
If we continue to treat the industrial cyber threat as a thing of myth and legend, it will only make the problem more real.