If you want to do real harm to a country attack its infrastructure — utilities, for example — and its economic base — its industry. In the United States both are under constant attack; not with bombs from the air but with cyber warfare. A previous article discussed cyber threats to electric and water utilities. This post will talk about cyber threats to industrial control systems (ICSs).
Who are the attackers?
ICS-CERT identifies the sources of cyber attacks against industry as national governments, terrorists, industrial spies, organized crime groups, hacktivists, and hackers. Activities, CERT continues, could include espionage, hacking, identity theft, crime, and terrorism.
The rogues’ gallery
While most malware is designed to steal data or extort money, the list of industry—targeting malware dates back a surprisingly long way. Here are some of the better-known ones. Some of the older ones have been defanged, but the newer ones have not.
- BlackEnergy originated in about 2007 as a distributed denial of service (DDoS) weapon from the Russian cybercrime group Sandworm. Updated several times since, it spreads through spam and phishing emails, using infected attachments masquerading as PowerPoint or Word documents. It recruits the computers it infects into botnets. Commercially available anti-malware utilities can detect and remove it.
- Havex, aka Backdoor.Oldrea, was first seen in 2013. It’s a remote-access trojan from the Russian group Energetic Bear (aka Dragonfly) that has been linked to Russian Intelligence Services. It was initially spread both by phishing email and by infiltrating the Web sites of industrial control system software vendors and infecting legitimate software downloads from those sites with a malware package. According to the cybersecurity firm Dragos, Blackenergy2 “contained exploits for specific types of HMI applications including Siemens SIMATIC, GE CIMPLICITY, and Advantech WebAccess.” So far it seems to have been used mostly for espionage, rather than sabotage. How long this will remain, the case is unknown.
- NotPetya, aka Petrwrap, derived from the 2016 ransomware Petya, first became known in 2017 when it was used in a global cyberattack that began by targeting Ukraine, but then spread to several European countries, including Russia, as well as the U.S., where FedEx was particularly affected. Cybersecurity firm McAfee suggests that the malware, which appeared to be crudely written, may have been intended simply to cause chaos, to act as a proof of concept, or as a distraction to hide other activities.
- Stuxnet, first discovered in the field in 2010, is arguably the best-known piece of malware targeting industrial control systems. Widely attributed to the United States and Israel, it sought out and attacked very specific models of programmable logic controllers (PLCs) made by Siemens used in very specific applications, and was aimed at physically damaging or destroying centrifuges used for uranium enrichment in Iran. Apparently, it was first spread via infected thumb drives.
- Triton, aka Trisis, targets industrial safety/emergency shutdown systems from Triconex. Although its first reported attack, in the Middle East, caused a shutdown rather than physical damage, analysts believe this was inadvertent. “We have not attributed the incident to a threat actor,” says cybersecurity company FireEye, “though we believe the activity is consistent with a nation-state preparing for an attack.”
What can be done
In a sense, the attack surface includes all the digital devices belonging to everyone in a company who has access, even indirectly, with any part of the control systems — which is to say nearly everybody. Ideally, each of these people should be fully trained in digital hygiene and follow all aspects of it at all times, whether at work, at home or on the road, without ever making a mistake or losing focus. Not going to happen. That leaves it up to the company to so manage its systems that they resist penetration despite human imperfections.
A good step is to follow the NIST Cybersecurity Framework. “Created through collaboration between industry and government,” NIST explains, “the voluntary Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.” The Web site contains a wealth of information, tutorials and general guidance.
A Schneider Electric blog makes the point that there are three steps toward cybersecurity. The first is to make embed cybersecurity in the user experience. If it is cumbersome or complicated, people will find workarounds that defeat it. The second is to emphasize that cybersecurity is everybody’s job, all the time. The blog points out that “two-thirds of malware linked to data breaches or other incidents last year came from malicious email attachments. It takes just one bad click to open the gates to the nefarious cyber underworld.” The third is to use a layered approach, based on guidance in the NIST framework.
Another good source of guidance is a Schneider Electric whitepaper entitled Cybersecurity Assessment — The Most Critical Step to Secure an Industrial Control System. It goes through the process step-by-step, beginning with the Security Lifecycle (based on ISA/IEC 62443), followed by documenting the system, vulnerability assessment, creating zones and conduits, cyber risk assessment, and process documentation. It also includes a recommendation for the ISA’s IACS Lifecycle Cybersecurity Training, based on IEC62443.
In March of this year, the Digital Manufacturing and Design Innovation Institute (DMDII) launched the National Center for Cybersecurity in Manufacturing, with seed money from the Department of Defense. DMDII recently quoted a 2007 Verizon data breach investigation report that “35 percent of all cyber-espionage attacks in the U.S. are addressed at the manufacturing sector, the largest amount of any single sector.”
While cybersecurity can never be absolutely guaranteed, it can be approached; following the advice above can go a long way to protecting a manufacturing facility from attack.
