New threats to ICS/SCADA systems and practical protection
20 April 2017
The cyber world has changed dramatically over the past 12 months. Cyber attacks on ICS/SCADA networks and breakthrough research discoveries have made investment in top level cybersecurity an absolute priority for companies, argues Phil Neray of CyberX, while Tim Ricketts of M.A.C. Solutions provides advice on improving the security of ICS networks.
Although many business decision-makers may be familiar with Stuxnet, the German steel mill attack, BlackEnergy malware and how a Michigan Utility got hacked with ransomware, many are still reluctant to invest more on tighter security controls to reduce the risk of cyber attacks on their Industrial Control Systems (ICS).
At a recent conference, Richard Clarke, a former top counter-terrorism advisor who later served as the first White House cybersecurity czar, pointed to numerous major disasters that were clearly predicted by experts but ignored by decision-makers. These include the sub-prime mortgage crisis of 2008, the Fukushima nuclear meltdown, the Madoff investment scandal, and several mining disasters. In each case, nobody acted on the experts’ predictions.
Clarke then explained why ICS cybersecurity is similar to these disasters because the cost of dealing with the disaster is disproportionately higher than the cost of mitigating it beforehand.
The outcome of a successful cyber attack on critical infrastructure is not something anybody wants to test. A quick look at incidents that have made it to the headlines – be it actual cyber attacks or new vulnerabilities and campaigns – is all one needs to persuade business executives to allocate more budget to mitigate against modern ICS hacking scenarios.
Ukrainian grid attacks
Before December 2014, nobody had ever used a targeted cyber attack to turn off electric power in the middle of a cold winter. In December 2016, it happened yet again, according to Ukrenergo, the electric utility for the Ukrainian capital of Kiev.
Attack on SWIFT Global Banking System
In 2015 and 2016, the SWIFT banking system was hacked three times (by North Korea), making it the first known incident of a state actor using cyber-attacks to steal funds.
NSA’s Top-Secret Cyber Weapons Posted on the Internet
In August 2016, the National Security Agency’s (NSA) top cyber tools and techniques were posted on the Internet, giving any ‘script kiddie’ unfettered access to the world’s most sophisticated cyber weapons. Released by the Shadow Brokers was a huge cache of specialised malware, including dozens of backdoor programs and 10 zero-day exploits, two of these targeting vulnerabilities in widely-used Cisco routers.
Zombie botnet army brings down the Internet
On October 21, 2016, America’s Internet was brought down by 450,000 IoT devices, which had been assembled into a massive botnet army. The unprecedented DDoS attack prevented users from accessing Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, PayPal and other sites. The attack targeted DYN’s managed DNS service, a major element of the US critical infrastructure.
Large-scale cyber reconnaissance targeting Ukranian companies
On 15 February 2017, CyberX discovered a new, large-scale cyber reconnaissance operation targeting a broad range of targets in the Ukraine. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously “bug” its targets – and uses Dropbox to store exfiltrated data, CyberX has named it “Operation BugDrop.”
CyberX has confirmed at least 70 victims successfully targeted by the operation in a range of sectors including critical infrastructure, media and scientific research. The operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screenshots, documents and passwords. Unlike video recordings, which are often blocked by users, simply placing tape over the camera lens, it is virtually impossible to block your computer’s microphone without physically accessing and disabling the PC hardware. Most of the targets are located in the Ukraine, but there are also targets in Russia and a smaller number of targets in Saudi Arabia and Austria. Many targets are located in the self-declared separatist states of Donetsk and Luhansk, which have been classified as terrorist organisations by the Ukrainian government.
New KillDisk malware: bringing ransomware into the industrial domain
In December 2016, CyberX uncovered new evidence that the KillDisk disk-wiping malware, previously used in the cyber attacks against the Ukrainian power grid, has now evolved into ransomware.
By reverse-engineering the new malware variant, the team at CyberX found that it displays a pop-up message requesting 222 Bitcoins or approximately 206,000 US dollars in return for the decryption key.
The new malware encrypts both local hard drives and any network-mapped folders that are shared across the organisation, using a combination of RSA 1028 public key and AES shared key algorithms, where each encrypted file has its own AES key.
RADIATION Campaign: unusual IIoT botnet attack
Months before Mirai malware was found to be infecting IoT devices, CyberX discovered the RADIATION Campaign. Targeting surveillance cameras commonly used in industrial environments, the RADIATION malware is much more sophisticated than Mirai because it exploits a zero-day vulnerability in IIoT devices rather than open ports and default credentials that can easily be addressed.
Since the campaign discovery, CyberX has identified 25,000 Internet-accessible devices compromised by RADIATION — and found that cyber criminals are now providing DDOS-for-Hire services using this massive botnet army.
ICS cyber protection
The Ukraine Power Station cyber attack in 2016, which left 230,000 people in the dark and without power for six hours, had as the attack vector the facility’s supervisory control and data acquisition (SCADA) system. This has provided several important lessons to those companies wishing to improve their cyber security systems, including the following:
• Use the data that is available to you – well before the attack occurred. Spikes in network traffic would have been seen from the updates made to device firmware. This would have been an early warning indicator that something was wrong. The success of the attack pivoted around this mistake.
• Consider the access that your engineers have to the system. For example, are all of the entry points needed? If so, have they been secured with the correct level of protection?
• Use up-to-date anti-virus definitions to catch known malware.
• Learn about your usual alarm events and monitor for abnormal events within the process and control system.
• The attacker will be persistent, conducting a large amount of reconnaissance over a period of months. Taking an evolutionary approach to your network security ensures that you will be ahead of the attacker.
The stakes have changed
The stakes have changed, but the defences have not – therein lies the problem. The typical industrial control network may appear to have the greatest of all protection – air gapping.
This physical network separation is now the status quo across industry, and rightly so. As the defence has changed now, so has the attack vector. Malware that is created to destroy a SCADA system, for example, will lay dormant until it finds its target, moving from phone to USB stick to laptop, using its host as a means of transport, until it finally meets its end destination – your process and control equipment. The damage is now done. The dormant malware that evaded your corporate firewalls and personal device protection is now on an air gapped system – a system that will likely have an out of date firewall due to the very reason it was deemed to be secure.
If your question as a business is still “what extra training do I need for my staff to combat this threat?” then your security is already compromised, but not for the reason you might think. The key trend across all attack vectors in all industries is that people are the problem: password capture, insecure connections, phishing emails and the USB stick in the car park. These attacks play on one human instinct, curiosity. For this reason alone you cannot solely rely on the fact that your staff have been trained.
The methodology of persistent security is to assume the worst and therefore be at the forefront of the defensive evolution for your process and control system. It requires building an eco-system in which you have full visibility of your weaknesses, so that you can be ahead of the attacker.
To do this, you must firstly contain your network, ensuring that access to critical systems is planned, logged and audited. The access that is granted must also be controlled. End device protection technology such as Sheep Dip USB Device protection must be implemented so that end devices are protected from internal tampering or accidental exposure to malware – those devices that may have already been exposed to malware can also be detected using the latest definitions, without having to ever expose them to the Internet.
Once you can be confident that your devices are secure, monitoring of your network is fundamental to understanding your weaknesses and offers the potential to expose existing breaches that may have occurred months previous. Quickly patching these insecure access points and understanding your vulnerabilities may deter the opportunistic attacker. To do this effectively, cybersecurity products should be able to gather usual network traffic, logs, control events and then use this as a basis for detecting anomalous activity.
Discoveries made within weeks of using the ‘Persistent Security’ technique should include: Clear text / weak passwords; Illegal remote connections to OT; Unexpected / unknown devices in the network; Misconfigured PLCs; Operational malfunctions; Generic and targeted malware; Manufacturer vulnerabilities; Multiple wireless access points; Direct Internet connections; and Exploitable attack vectors.