Until mid-July, malware attacks on SCADA control systems such as power grids use was considered one of many HILFs. Not anymore. Now it’s better to have a plan and as the Boy Scout motto says, “Be Prepared” in a defense in depth stance.
For CIOs this couldn’t come at a worse time – unstable economic situations for business combined and the Stuxnet worm has erupted into a proof of concept nightmare of what malware can do to the power grid – and worse, what grid failure can do to an unprepared business.
HILF – is the catchy new term for a show-stopping event and no, it doesn’t start with an “M”. HILF stands for High Impact Low Frequency. These types of events include malware targeting SCADA controls as well as “Acts of God” and even EMP – electromagnetic pulses – which result from solar flares or nuclear detonation.
Businesses take note: the NERC strategy suggests that businesses plan for HILFs such as EMP or malware such as Stuxnet. Particularly it stresses to plan for effects in which one emergency may bleed over into another.
The report examines three high-impact, low-frequency risks in detail: coordinated cyber, physical, or blended attacks; pandemic illness; and Geomagnetic Disturbances (GMD) and Electromagnetic Pulse (EMP) events. These risks are rare, and in some cases have never occurred.
Article: Learn Seven Ways To Keep HILFS From Crashing Your Party
Stuxnet’s Sophisticated Attack
Stuxnet has been evaluated as a weaponized exploit packaged neatly into a sophisticated social engineering nightmare. Why is this little critter causing so much discussion?
- Stuxnet has automated espionage against a critical infrastructure component. What used to take Cold War spies years to penetrate and diagram was automated within seconds. It was designed to gain access to the visual information part of the control system – the user interface or human machine interface (HMI).
- This blended threat masks whodunit. The true intent behind Stuxnet may never be known and theoretically, the rootkit nature of this malware could have allowed future attacks to propogate, endangering the entire control system. All of this could occur on a global scale not unlike a scenario out of Richard Clarke’s Cyberwar book.
- Blended Threat = there were boots on the ground and a well organized global effort. The organization who created Stuxnet also made a masterful social engineering move by heisting the VeriSign digital certificates from software firms JMicron and Realtek:
Here’s where criminology comes in – Randy Abrams points out that JMicron and Realtek have offices in the same Taiwanese industrial park. These two companies had their digital signatures stolen, that these signatures may have been stolen. I think that both companies could have been criminally penetrated either through physical means or through the compromise of their shared telco / fiber connection.
Right now there are two schools of thought: one is that industrial control system attacks/hacks are nothing new and may not result in the end of the world. The other line of thinking is that this is an evolution of a threat which, by becoming automated in nature, should be treated with the same respect as a power plant gate guard seeing a gentleman armed with a 12 gauge shotgun approaching his guard booth: the gentleman may be hunting quail, or the gentleman may have ill intent. Either way, it’s up to security to assess the threat potential.
{ 4 comments… read them below or add one }
Excellent detailed overview of attack, thx! Couldn’t agree more…but why are we surprised. I commented on this at the beginning of the month…
Thanks Ken,
I have several other blogs over at SC Magazine which detail the Stuxnet operation which now includes the death of a purported CIO-level scientist tasked with cleaning up the Stuxnet mess:
Stuxnet’s persistent legacy: Cybersecurity is blended security – Was the delay of the Stuxnet worm cleanup the true motive behind the assassination of Iranian cyberwarfare and nuclear scientist Majid Shahriari? Was Wikileaks content responsible for the timing of the attack? Analysis follows.
Stuxnet: Precursor to kinetic warfare? - Were cybersecurity and Stuxnet involved with Iranian Prof. Shahriari’s recent assassination? What are the game-changing physical security considerations for chief information officers?
Future Crimes: Will the lights stay on past 2013? – Stuxnet has radically changed the global perception of cyberwarfare leveraging internet-connected SCADA vulnerabilities of critical infrastructure. Will the lights stay on or are we in for trouble?
Excellent overview! Whether ICS attacks via malware are new or merely variations on old themes is not the issue. Whether warnings about ICS vulnerability are self-serving scare tactics or expressions of genuine concern is not the issue. The issue is what should be done as next steps. I have argued elsewhere (Cutter IT Journal) that one of the biggest lessons to be learned is that air-gap protection is a total myth, that any modern system that is and must be maintained up-to-date is necessarily by some path connected to the Internet and the outside world. In fact, there are always multiple paths of invasion and infection, as Stuxnet demonstrated and as I predicted with my 2003 design to attack the U.S. power infrastructure–used in the Lior Samson techno-thriller, Web Games (Gesher Press, 2010).
As you conclude, it is up to security professionals to assess the threat potential. It is also up to them to balance risk versus the cost of reducing the threat. There are big-ticket proposals to rework the entire ICS infrastructure, but there are also low-to-zero cost measures, such as checking to see which windows (or Windows) are locked and which are wide open. Previously, almost all the attention has been on the PLCs and the SCADA networks themselves with little attention to engineering workstations and management systems running Windows and updated through varied vulnerable media. Now our eyes are open and we should keep them open. –Larry Constantine, Madeira Interactive Technologies Institute
Thanks Larry!
Critical Infrastructure has been overlooked for quite some time. Hopefully we won’t have issues to the extent of Stuxnet. I’d be curious to hear about some of your low-to-no cost solutions and compare notes.
{ 6 trackbacks }