Building Security Resiliency Into Critical Infrastructure
Last month, National Cybersecurity Awareness Month efforts closed by focusing on scenarios straight out of action movies and nightmares – attacks on our critical infrastructure. These days, however, the threat is more likely to come from an innocent seeming email than bomb-toting terrorists à la Die Hard.
Utilities, hospitals, transportation systems, and all the other systems our communities and countries depend on are increasingly digitally controlled and connected. This brings tremendous productivity and reliability gains: better alignment of supply and demand, predictive maintenance planning, predictive outage response, instantaneous sharing of vital data and more. In some cases, like health care, it can make the difference between life and death.
However, this hyper-connectivity has increased the cyber risk for our critical systems exponentially. The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that, in 2015, cybersecurity incidents involving critical infrastructure increased by 20%. And 2016 shows no slowdown.
Take the spate of ransomware attacks on health service organizations that disrupted operations for days in some cases. Or April’s attack on the Lansing Board of Water and Light in Michigan that cost the utility an estimated $2 million so far.
Even our most potentially dangerous systems are at risk. Inspectors at a nuclear plant in Gundremmingen, Germany discovered malware on several PCs earlier this year. Fortunately, they were not connected to any critical systems in the nuclear reactor. And just last month, the head of the International Atomic Energy Agency (IAEA) revealed that an attack occurred on an unnamed nuclear plant at some point in the past two to three years – one that was serious enough to disrupt operations.
Energy Under Attack
The energy sector is particularly vulnerable. Coordinated cyberattacks on the Ukraine power grid ten months ago left more than 230,000 customers without power. Hackers gained control of the Supervisory Control and Data Acquisition (SCADA) network that controlled the grid and proceeded to shut off approximately 60 substations.
The initial infection vector? A phishing email with a malicious Word attachment that, when victims clicked to enable macros as prompted, downloaded the BlackEnergy3 malware that opened a backdoor by exploiting a vulnerability in Microsoft Office documents (CVE-2014-4114). From there, they eventually made their way into the SCADA networks, despite firewall segregation, by gaining access to the Windows Domain Controllers and stealing login credentials.
SCADA networks are an increasingly popular target. In the Institute for Critical Infrastructure Technology’s (ICIT) “The Energy Sector Hacker Report,” researchers point out that many utilities companies depend on legacy SCADA and industrial control systems (ICS ) that were not designed with cybersecurity in mind and are beyond their intended lives.
Toward a Resilient Infrastructure
Developing greater resilience in our critical infrastructure systems requires addressing several interrelated factors. On a broad scale, we must identify, assess and address risks while creating continuity practices to ensure essential services are still available when disruptions occur.
The best way to contribute to this resilience, from a cybersecurity standpoint, is to build a more resilient cyber threat prevention strategy. One that can adapt to the changing threat landscape to stay a step ahead of attackers’ plans. Such a strategy must begin with the most common entry point for attackers – the endpoint.
Small but Deadly
Other than the recently disclosed nuclear plant breach, for which we have no details, all of the above examples have one thing in common – the attack began at the endpoints. Take the case of attacks on the power grid. Malware, like BlackEnergy, is specifically developed to gain access to SCADA networks by targeting their human-machine interface (HMI) systems, which typically reside in a Windows-based endpoint.
Trend Micro researchers recently analyzed ICS-CERT advisories and data from TippingPoint’s Zero Day Initiative to understand the attack surface that is exposed by HMI systems. They found that Memory corruption vulnerabilities, including stack-based buffer overflows, heap-based buffer overflows, and out-of-bound reads and writes, are the most common type. Approximately twenty percent of the issues fell into this category. So, clearly, a resilient endpoint threat prevention stack must include a solution that can prevent or at least detect memory corruption vulnerabilities.
But, what about the ransomware attacks on hospitals? Many of these were file-less attacks. We can’t simply load-up the endpoints, trying to anticipate every type of malware variation and type. Not only would endpoint performance become sluggish, system administrators would be too busy chasing after security alerts to stay on top of critical operations issues.
Desperately Seeking the Solution
So, how can we protect our essential systems and services? Some newer technologies hold promise, as antivirus add-ons, to provide memory protection and exploit prevention without eating-up limited resources. Moving Target Defense (MTD), for example, makes vulnerabilities in applications like web browsers inaccessible to attackers by morphing the targets ahead of attacks.
Of course, the most basic advice is to keep patching. According to NSA Deputy Director Richard Ledgett, most of the high-profile breach cases that the NSA investigates involve a known but unpatched vulnerability.
Rather than seeking a single solution, critical industries should combine traditional and innovative technologies with good cyber hygiene to keep services running safely and efficiently.
(About the author: Mordechai Guri, Morphisec’s chief science officer, has more than 20 years of practical research experience. Mordechai is also head of research and development of the Cyber Security Research Center, Ben-Gurion University of the Negev, and was awarded the prestigious IBM PhD International Fellowship in 2015-2016. He manages academic research in various aspects of cybersecurity to the commercial and governmental sectors.)