The devices and protocols used in ICS are present in nearly every industrial sector and are at significant risk of disruption by malicious adversaries. We, as cybersecurity professionals, cannot wait on governments across the globe to motivate industry to protect itself through regulation or compliance. We need to take direct action now to actively protect our systems and societies.
“INCONTROLLER represents an exceptionally rare and dangerous cyber-attack capability” – Mandiant
“Chernovite’s PIPEDREAM can execute 38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics” – Dragos
INCONTROLLER was built to manipulate and disrupt industrial processes, and PIPEDREAM is now the seventh known industrial control system (ICS)-specific malware. Cybersecurity professionals discovered, analyzed, and created defenses against these ICS malware frameworks before they were deployed. Identifying risk has been something we in cybersecurity are good at doing. Treating risk is where the industry struggles the most, with many external challenges such as budget, lack of skilled resources , and even the “it won’t/can’t happen to us” mentality. While experts have been given guidance on how to protect systems, implementing the changes to correct the vulnerabilities still takes dangerously long to realize or is ineffective.
While INCONTROLLER was discovered before being used in the wild, it has since been weaponized – so, expect the stakes to keep rising. INCONTROLLER and Pipedream malware jeopardize many critical infrastructures by sabotaging devices that are integrated with automated machinery. These are often present in inconspicuous parts of industrial operations. We have yet to understand the full-scale consequences of this.
For many years, the only real protection was keeping Operational Technology (OT) isolated from the business IT network. However, that network is also prone to its own set of failures if not implemented correctly. In addition, as rising costs of raw material extraction and processing, scarcity of resources, and global economics all play their part in squeezing margins. Reducing costs and demanding improved efficiency meant industrial controls systems, and their management layer, are now doing something they were never designed for – being internet facing. Regardless of novel approaches such as one way traffic controllers (data diodes), connected is still connected. Visible. Reachable.
In 2016, power was cut to the Ukrainian power grid. The attackers used Industroyer malware. Even though they had already experienced an attack from this malware, it was recompiled and used recently in another successful attack against the very same power grid. To date, they don’t know how the attackers compromised “patient zero” at the power grid nor how they moved from the IT network to the Industrial Control System (ICS) network. This is just another example of how good attackers are at finding weaknesses to exploit, and how difficult it is for defenders to keep up. As the old saying goes – they only need to get it right once, we need to get it right every time.
This new Industroyer campaign followed multiple waves of wipers that have been targeting various sectors. Wiping data and systems is another way to disrupt business. While these targets were part of “critical infrastructure” it in no way means they are unique. Media may be focused on nation-states, however hackers do not discriminate – any target is as good as another and they know that with patience, there is always a vulnerability to discover and exploit.
The only truly secure systems and data are completely disconnected from the internet. Yet as The International Society of Automation points out in their myth busting series of blogs, “…a true airgap is no longer practical in an interconnected world. While many will agree that airgaps are disappearing, some still believe this is a viable security measure.”
So if disconnected equals secure yet impractical, and connected equals practical yet insecure, is there a third alternative? Let’s explore this further.
There is an important distinction between claims of disconnectedness that traditional ‘airgap’ technologies offer. “Logically” disconnected systems are not truly physically disconnected, but hidden or obfuscated behind layers of software – and it is that self-same software that is the vulnerability. In a software defined network, it is clear that much due diligence is needed to see beyond the marketing material of a software-only airgap solution.. When something is completely physically disconnected, the element of human error – the back-door the admin leaves open for management, or the occasional forgetting of password setting or changing, is mitigated by the fact that the asset isn’t connected in the first place.
In the face of such risk, put your trust into simple yet effective solutions that solve real world problems and ensure your systems are not sitting ducks for cyber-offenders. Be IN CONTROL, not INCONTROLLER’ed.