Physical and digital systems are increasingly linked together in modern industrial environments like those seen in the United States. While this connectivity automates the management of industrial control systems (ICS), it also means a digital attack against our nation’s critical infrastructure could negatively affect users’ physical health and safety. In the name of national security and public health, it’s imperative that IT and OT professionals put their heads together to strengthen the United States’ security posture when it comes to industrial control systems, among other trends. They can start by learning from the past.
Celebrating the fifth and final week of National Cyber Security Awareness Month (NCSAM) 2016, we at The State of Security would like to emphasize the goal of building resilience in critical infrastructure. We’ll do so by discussing three ICS security incidents that rocked 2016 and by sourcing expert opinion on what we can learn from each of those events.
1. Operation Ghoul
In August 2016, researchers at Kaspersky Lab uncovered “Operation Ghoul,” a spear-phishing campaign targeting industrial organizations in the Middle East. Each attack began with a phishing email that appeared to come from the Emirates NBD, a bank based in the United Arab Emirates. In reality, the email was a fake. It came with an attached document laced with HawkEye, malware which collects victims’ keystrokes, clipboard data and other information on behalf of the attackers.
At the time of discovery, Kaspersky had identified 130 victims of Operation Ghoul. Most of those organizations operated in the petrochemical, naval, military, aerospace and heavy machinery industries located in Spain, Pakistan, the United Arab Emirates, India, Egypt, and elsewhere around the Middle East.
What We Should Learn
Lane Thames, a software development engineer and security researcher with Tripwire’s Vulnerability and Exposure Research Team (VERT), feels Operation Ghoul highlights the security industry’s ongoing need to address human error when defending against digital attacks:
“Operation Ghoul was an interesting attack campaign because it exploited the ‘human element’ in order to penetrate its target, and it used commercial-off-the-shelf malware to achieve its final outcomes. There was no innovation in this campaign, which successfully penetrated mostly industrial and engineering organizations.
“The attack is one of many that continues to illustrate, unfortunately, that we are still lagging behind the bad guys in this game of cybersecurity. Cybersecurity is a hard problem, and a solution cannot be approached by technology alone. There is a human component as well as a technology component in the solution space. Both must be addressed in order to start gaining ground in this game.
“I personally believe that we have a long way to go because we are failing miserably at addressing the human component of cybersecurity. Our educational ecosystem is not properly focusing on this problem. In the short term, organizations should focus on continuous cybersecurity training and awareness for its employees.
“For the long term, we need to start teaching our children early on about the consequences of using digital technology. The fundamentals of cybersecurity need to be integrated into our education programs, especially STEM-based curricula. STEM students are the ones who will be developing our technology of tomorrow. They need to know how cybersecurity works just as much as one who specializes in cybersecurity. Until we start addressing the educational front, I’m afraid the bad guys will continue to win.”
2. BlackEnergy-Borne Power Outage
On December 23, 2015, the western Ukrainian power company Prykarpattyaoblenergo reported a power outage that affected an area including the regional capital Ivano-Frankivsk. An investigation later determined that attackers had leveraged a Microsoft Excel document containing malicious macros to compromise an employee’s workstation and inject BlackEnergy malware into the company’s network. The malware provided “interference” while the attackers cut off power to the affected region.
What We Should Learn
Pavel Oreški, an IT analyst at Tripwire’s parent company Belden, says the attack demonstrates how spam mail still continues to pose a serious threat to organizations:
“The BlackEnergy malware incident at the Ukrainian power company Prykarpattyaoblenergo shows precisely how an unthinking act of just one employee can lead to a very destructive event. I can’t help but imagine a similar attack affecting a nuclear power plant with much worse consequences.
“In this incident, the attack initialized after the recipient opened an Excel document and trusted an unverified email sender enough to enable macros. All of us encounter similar types of spam mail on a daily basis. I sure do.
“What if I were to ignore IT security principles and click on the document? That could allow the attacker to destroy the disks of our enterprise resource planning (ERP) system, for example. During recovery, the company might be paralyzed for a few hours, an outage which could cause purchase, production, and delivery delays with unhappy customers as a result.”
3. Iranian Dam Attack
On March 24, 2016, officials at the Department of Justice publicly accused an Iranian hacker of gaining unauthorized access to the Bowman Avenue Dam, “a very, very small” structure used for flood control near Rye, NY. Law enforcement launched an investigation into the incident and determined that the hacker never succeeded in gaining control of the dam. They did find, however, that the hacker probably learned critical information about how the structure operates.
The hacker belonged to a group of criminals who with the likely sponsorship of Iran’s Islamic Revolutionary Guard is believed to have leveraged distributed denial-of-service (DDoS) attacks to block access to the websites of 46 separate institutions, including JPMorgan Chase, Bank of America, the New York Stock Exchange and Capital One.
What We Should Learn
Keirsten Brager, CISSP, CASP, a Tripwire Resident Engineer at a major power utility, notes there’s a lot going on in this story but that organizations can take steps to protect themselves:
“Three issues stand out in this article: malware infections of third parties, botnet-based distributed denial-of-service (DDoS) attacks against web apps, and remote access vulnerabilities. While no solution is foolproof, there are defense in depth strategies that can mitigate the risks that accompany these threats
Malware: Defend, Detect, Respond
- Keep patches up-to-date on systems AND applications. In one of the incidents, Symantec reported that the RIG exploit kit was used to check for vulnerabilities in IE, Silverlight, Adobe, and Java. Unpatched machines were then infected with malware.
- Since malware continues to evade network security defenses, organizations should continuously evaluate their endpoint detection and response capabilities. Tripwire has a free Endpoint Security guide to help you: https://www.tripwire.com/state-of-security/incident-detection/advanced-malware-detection-and-response-begins-at-the-endpoint/
- Deploy web app firewalls, such as Imperva, to automatically block known attacks against web apps.
- Change default passwords to prevent devices from becoming part of a botnet. Malware was used to scan the internet for default passwords on IoT devices that were then used as part of a botnet in the recent DDoS attacks against security researcher Brian Krebs and internet infrastructure company Dyn.
- Use services such as OpenDNS to distribute denial-of-service traffic across multiple nodes to lessen the impact on the infrastructure behind it.
- Deploy routers and/or firewalls that can detect DoS attacks and filter traffic to drop packets that match attack patterns.
The Case for Multi-factor Authentication Investments
- The alleged attacker in the Bowman Avenue Dam in Rye, NY maintained continued remote access to their computer systems without multi-factor authentication.
- One of the largest attacks against banking critical infrastructure (JP Morgan Chase) was mainly attributed to the lack of two-factor authentication.
- Booz Allen’s latest threat briefing concluded that the biggest points of failure in the successful DDoS attack against Ukraine’s electricity grid were remote access to the ICS environment and lack of multi-factor authentication.
“These incidents demonstrate that one of the best access control defenses available is multi-factor authentication for remote access.
“Organizations can build resilience in their critical infrastructure by prioritizing malware, DDoS, and remote access protection strategies. However, even the most well-thought-out security program cannot prevent every attack. Therefore, detection via continuous monitoring and response capabilities are paramount for an organization to quickly recover from a cyber incident.”
As in IT environments, industrial organizations can best protect themselves against an ICS security incident by training their employees and by following security best practices. That’s an excellent lesson for industrial companies to keep in mind as we move into Critical Infrastructure Security and Resilience Month (CISR).
To learn more about that public awareness campaign, including what your organization can do to help build resilience in our nation’s critical infrastructure, please click here.