Until mid-July, malware attacks on SCADA control systems such as power grids use was considered one of many HILFs. Not anymore. Now it’s better to have a plan and as the Boy Scout motto says, “Be Prepared” in a defense in depth stance.
For CIOs this couldn’t come at a worse time – unstable economic situations for business combined and the Stuxnet worm has erupted into a proof of concept nightmare of what malware can do to the power grid – and worse, what grid failure can do to an unprepared business.
HILF – is the catchy new term for a show-stopping event and no, it doesn’t start with an “M”. HILF stands for High Impact Low Frequency. These types of events include malware targeting SCADA controls as well as “Acts of God” and even EMP – electromagnetic pulses – which result from solar flares or nuclear detonation.
Businesses take note: the NERC strategy suggests that businesses plan for HILFs such as EMP or malware such as Stuxnet. Particularly it stresses to plan for effects in which one emergency may bleed over into another.
The report examines three high-impact, low-frequency risks in detail: coordinated cyber, physical, or blended attacks; pandemic illness; and Geomagnetic Disturbances (GMD) and Electromagnetic Pulse (EMP) events. These risks are rare, and in some cases have never occurred.
Stuxnet’s Sophisticated Attack
Stuxnet has been evaluated as a weaponized exploit packaged neatly into a sophisticated social engineering nightmare. Why is this little critter causing so much discussion?
- Stuxnet has automated espionage against a critical infrastructure component. What used to take Cold War spies years to penetrate and diagram was automated within seconds. It was designed to gain access to the visual information part of the control system – the user interface or human machine interface (HMI).
- This blended threat masks whodunit. The true intent behind Stuxnet may never be known and theoretically, the rootkit nature of this malware could have allowed future attacks to propogate, endangering the entire control system. All of this could occur on a global scale not unlike a scenario out of Richard Clarke’s Cyberwar book.
- Blended Threat = there were boots on the ground and a well organized global effort. The organization who created Stuxnet also made a masterful social engineering move by heisting the VeriSign digital certificates from software firms JMicron and Realtek:
Here’s where criminology comes in – Randy Abrams points out that JMicron and Realtek have offices in the same Taiwanese industrial park. These two companies had their digital signatures stolen, that these signatures may have been stolen. I think that both companies could have been criminally penetrated either through physical means or through the compromise of their shared telco / fiber connection.
Right now there are two schools of thought: one is that industrial control system attacks/hacks are nothing new and may not result in the end of the world. The other line of thinking is that this is an evolution of a threat which, by becoming automated in nature, should be treated with the same respect as a power plant gate guard seeing a gentleman armed with a 12 gauge shotgun approaching his guard booth: the gentleman may be hunting quail, or the gentleman may have ill intent. Either way, it’s up to security to assess the threat potential.