Workload and Application Security Blog

Critical infrastructures for ICS security and ICS SCADA security will have to operate if there's malware on it or not

Written by Virsec | Sep 20, 2018 4:43:59 AM

Listen to the webinar this article is based on;

Expert commentary given from Major General Robert Wheeler, retired US Air Force, and former Deputy Chief Information Officer for Command, Control, Communications and Computers (C4) and Information Infrastructure Capabilities (DCIO for C4IIC), US Air Force, expressed this viewpoint in a webinar organized this past week by California-based cyber-security firm Virsec.

Industrial control systems (ICS) security  and ICS SCADA security critical infrastructures have weak points that make them susceptible to threat actors. The thinking that these industrial control systems are protected because they are “air-gapped” and separate from the Internet is false thinking. In many cases, they are connected to the Internet and even where they aren’t, other means of attack exist, as has been proven many times in recent years. All it takes is in infected USB drive, a comprised third party, an accidental insider or other means.

Threats Are Likely Already Inside Your Network

In fact, it’s highly likely that threats are already present inside these networks. Attacks have evolved and even their objectives have changed. The objective isn’t always immediate theft – or “smash and grab.” Now, thieves want to spend their time gathering information.

“Now, they're spending a lot more time observing, spending time in there digging deep, having multiple backdoors, [...] and having it that even if you're aware what happened it's very difficult for you to actually figure out how to stop them. That's one that bothers me..."

General Wheeler explains why the best approach is for these industrial control systems security infrastructures to be prepared to operate even if malware or an attacker is present. The idea is that the network’s functions should continue and be available as normal for end users regardless.

“Cyber-security experts believe that companies and government agencies should be prepared to operate networks even if there's malware or a threat actor on the network or not.”

This is not the current approach. Not initially designed with security in mind, if an intruder is detected, these networks shut down. But this isn’t practical anymore. The functions of these infrastructures are too critical.

Even outside ICS cyber security critical infrastructures such as electric grids or nuclear power plants, other critical systems are also vulnerable yet it’s imperative that they keep operating. Banks for instance can’t shut down for a couple weeks if they suspect a bad guy or malware is in their network. They have to carry on with their business while they figure out what’s going on. They would do this by isolating the problem and adopting new security measures that go far beyond the old school of perimeter defense.

In Data Attacks, Bad Actors Don’t Steal the Data, They Change It

Another type of attack is one that attacks data. Maj. Wheeler explains this doesn’t mean exfiltrating or stealing the data, but actually changing it. A hacker or disgruntled employee who wanted to cause problems for a bank could alter or scramble bank account numbers.

Scrambling or manipulating information that comes from big data, from sensors, is a big risk. Or an attack on election data. And on and on. Many systems are at risk.

"The biggest challenge [to securing critical infrastructures] is that there is a general lack of understanding of the threat across the government. For many, if they can't see it, and if they haven't been directly affected yet, it doesn't exist," the Maj. General told ZDNet. "Before we can improve our tools and training, or adopt meaningful legislation, we must bridge this fundamental knowledge gap.”

The evidence that ICS systems are a prime target for sophisticated attackers, including nation state bad actors, was clearly shown last year by the marked increase of attacks aimed at ICS facilities. This includes Industroyer, Black Energy, Killdisk, Sandworm, Triton attack and many more.

Read full article Critical infrastructure will have to operate if there's malware on it or not

Listen to Webinar

Critical infrastructure is increasingly at risk from a wave of these advanced cyberattacks. StuxNet, HaveX, Black Energy, Industroyer, Triton and others use advanced hacking techniques and memory exploits to hijack control, cause disruption, and shut down critical systems. These techniques bypass conventional network security tools and have been considered “indefensible” by many experts.

Industroyer

Industroyer is believed to be the malware that shut down the power grid in Kiev, Ukraine’s capital, in December 2016. It was the first malware capable of attacking power grids automatically, versus BlackEnergy, which was used in manual attacks against the Ukrainian power grid and others.

Black Energy

BlackEnergy was the advanced persistent threat (APT) responsible for attacking and shutting down electrical grids in Ukraine in December three years ago. Now BlackEnergy has an architecturally similar and more modern successor, GreyEnergy, that’s emerged the end of 2018. While it’s showing similarities to its predecessor, so far, GreyEnergy has a different focus. Rather than shutting electrical grids down, GreyEnergy’s main objective is cyber-espionage.

Triton Attack

The malware behind the Triton attack, also called Trisis, or HatMan, attacked safety instrumented systems (SIS), a critical component designed to protect human life. The system targeted in that case was the Schneider Triconex SIS. The initial vector of infection is still unknown, but it was likely a phishing attack.

The Triton attackers gained control and then made moves to disrupt and take down the industrial process. All that the attackers intended isn’t known because, fortunately, the attack accidentally triggered a plant shutdown, leading to the discovery of the attack and subsequent further investigation.