Going critical: malware takes out critical infrastructure
November 2017 was the U.S. Department of Homeland Security's Critical Infrastructure Security and Resilience Month, which aims to build awareness of the importance of protecting critical infrastructure such as power and water utilities against attacks.
It's a topic that's becoming ever more critical: earlier in December (and just a couple of weeks after the end of the DHS' CI Security Month), it was revealed that hackers closed down plant and industrial systems in the Middle East using the Triton Malware. This is a very rare occurrence; only a handful of malware families have been specifically developed to attack essential infrastructures and industrial processes that we rely on for electricity, gas, oil, and water supplies.
The most notorious attack, Stuxnet, was discovered in 2010 and became the first malware to take out industrial machinery, causing centrifuges to spin out of control at an Iranian nuclear facility in 2016, malware successfully took down a power grid in the Ukranian capital, Kiev. In each case, it's not the scale of the damage that caused alarm as much as the potential implications.
Usually, malware is deployed for financial gain through ransom, theft, or another form or extortion, but in Triton's case there was no evidence of any financial intentions. Attackers targeted core infrastructure with skill and persistence, and went directly for the victim's industrial control system (ICS) architecture. Investigations into the Triton malware pointed towards state sponsorship, but the origin is yet unknown. All of this could signify the first indications of cyber-warfare, or could at least imply that one day, attacks like these will become commonplace.
We may be as unprepared as we fear. Typically these kinds of attacks target supervisory control and data acquisition (SCADA) architectures. These network provide essential access to control machinery, as we mentioned in a recent blog, the days when the security of SCADA/ICS networks could be overlooked because of the difficulty in targeting them are long gone.
The practicalities of security ICS networks are complex. The current generation of networks offer a high level of flexibility for remote access, management and automation of various control modules, and this flexibility also leads to vulnerabilities.
What's more, visibility into ICS networks is often compromised: in the latest 2017 SANS survey on Securing Industrial Control Systems, four out of 10 respondents said they lack visibility into their networks. Security teams need full knowledge of connected and interconnected assets, configurations, and the integrity of communications if they are to successfully protect critical infrastructure. The other leading threats reported were accidental internal threats (43%), external threats from hacktivists or nation-states (40%) and ransomware (35%).
Ramping up security
These recent attacks highlight the need to ramp up the resiliency of SCADA networks. With regular testing, validation, and remediation, this can be made possible. Key to this will be the ability to simulate real-world application and security traffic, to test the environment and see what might happen in the event of an attack. This way, any new configurations such as upgrades, updates, and new hardware can be tested safely before they're made live.
This is the principle which Ixia has built the all-in-one applications and network security testing platform, BreakingPoint. It enables IT/ OT teams to simulate their environments realistically, without the cost of replicating the real equipment and infrastructure, and can help them to shore up defences against malicious individuals and Nation States looking to attack the grid.
If you'd like more information on protecting ICS and SCADA systems / networks, here's how BreakingPoint can help.