Catch 22: Relying on Vulnerable Systems in hosting Critical ApplicationFeb 25, 2019
The last 10 years we have seen increased attacks targeting critical installations, particularly the energy sector. We have learned of the Shamoon and Triton malware targeting oil and gas industry in the Middle East and Stuxnet which hit nuclear facility in Iran. These attacks and others, uses a combination of methods in an effort to steal sensitive operations, exploration and financial information from petroleum and energy companies, as well as cause large scale disruptions, in which in noteworthy incidents, resulted the crippling of operations.
Based on analysis of previous incidents, the cyber attacks were primarily attributed to malware infections with attack vector initiated via phishing and spam emails, as well as file infection through file transfers, and even USB storage drive. These findings are deduced from reports based on forensics analysis done on computers affected in order to identify patient zero, besides analysing the malware artifact by various security companies. Without discounting the fact that there are incidents due to penetration from insider threats and vulnerabilities within the supply chain. The targeted systems are often the Industrial Control Systems, SCADA and most recently Safety Instrumented System.
The impacts of the attacks are two folds, impairing operations by unauthorized shutdown or changes to system operations, and destruction of data. Incapacitation of a critical function can cause a domino effect on business operations that can be widely distributed geographically. In most recent incident involving the Triton malware, the attack could have caused loss of life and wide scale pollution. Past incidents recorded financial loss ranging in hundreds of million US dollars. An Oil and Gas company that had over 30,000 computers affected in the cyber attack, took five months to recover their core functions. Operations were forced to be done on pen and paper, and free fuel supplies delivered to customers due to payment disruption.
In highly regulated critical sectors, organisations put into practice risk assessment, rehearse playbooks, often spot on when involving physical security threats that works well with long term plans. Cyber security attacks on the other hand, are relatively more complex to visualize, demonstrate and rehearsed. The threat may come in the form of everyday malware attached email, continuous network scan that transmits exploit codes and infect mobile workers, and USB storage devices. It takes a single human mistake to cause a mass malware outbreak or a stealthy targeted host penetration.
The ICS and SCADA systems are perceived as proprietary systems, residing on isolated network operating less secure protocols. Pursuant to that, with digitalisation and Internet of Things (IoT), the systems and data are slowly migrating to operate on standard operating system, with some demands from customers, to have these systems accessible from the Internet. The question is what is the state of cyber security readiness of the critical systems as we embrace digitalisation and IoT?
In a “hostile” network environment today, due to the amount of malware scanning on the network and targeted threat to critical sector, multi-layered cyber security control approach is inevitable. The aim is to minimize the risk of compromise through mitigation of threats and human error.
It is important to note that critical systems such as the ICS and SCADA system need to reside on operating systems. The backend server as well as the front-end user interface are residing on third party operating system environment operated by personnel on-site and at remote locations. Why are these critical backend and frontend systems running on vulnerable operating systems, in which to comply to security standards, require constant patching and updates, and most often than not, require system reboot? Why are the critical applications using weak authentication and network protocols that enable man-in-the middle attack and theft of access credentials? Why are the user commands and data transmitted over non secure application layer protocols? The Australian Signals Directorate identify 85% of intrusion techniques that the Cyber Security Operations Centre responds to, can be mitigated by Top 4 controls : Application Whitelisting, Patching of applications and Operating System, as well as minimize administrative access privileges. Based on almost 20 years of large scale cyber attack incidents in the energy sector, they involve some form of intrusion and malware penetration.
Cyber attack methods of the major incidents involve similar modus operandi, which includes:
- • Attack vector via phishing, network scans
- • Exploit and persistence attack via malware infection
- • Steal credentials
- • Remote access for further reconnaissance to identify critical systems
- • Unauthorized access to critical systems
- • Modify configurations
- • Change/falsify shutdown, sensor signals, temperature shifts, pressure valve
A strategy towards better, improved defences in mitigating cyber risks involves integrating security in the design, development and implementation of the network, system and application. This includes, but not limited to, security in software development DevSecOps, effective endpoint controls, and segmentation of networks for various user functions. There are established security standards such as IEC 62443 that does not require one to reinvent the wheel in terms of security requirements. However, every network and application are unique to organisations and need to be designed to fit for purpose.
It is pertinent that we realize that cyber attacks, although they appear to impact in split seconds, takes weeks or months of stealthy information gathering. The cyber attack kill chain often involve a few cycles of reconnaissance, exploit, penetration, further internal reconnaissance, identification of critical system before final execution of attack on critical systems. Effective intelligence gathering on network and systems may detect telltale signs of anomalous activities on systems and network. OT personnel need to be aware of anomalies, in which, with prompt investigations for early detection and intervention, major attacks can be prevented. Ultimately, it takes finesse to stop malicious activities from reaching critical systems. It requires controls on all layers including the endpoints. It requires a hard look at the dependencies of vulnerable system to operate critical systems.
-  Payal Bhattar “Power-up the security blanket”. https://www.wartsila.com/twentyfour7/innovation/power-up-the-security-blanket, June 27, 2017
-  Ms Smith “Saudi Arabia hit with disk wiping malware Shamoon 2”. https://www.csoonline.com/article/3161146/security/saudi-arabia-again-hit-with-disk-wiping-malwareshamoon-2.html , Jan 24, 2017
-  Nicole Perlroth, Clifford Krauss, “A Cyberattack in Saudi Arabia had a deadly goal. Experts Fear Another Try”. https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html , Mar 15, 2018
-  Stephen Jewkes and Jim Finkle “Italian Oil Services Firm Saipem blames Cyber attack on Shamoon Virus variant”. https://www.insurancejournal.com/news/international/2018/12/13/511880.htm , Dec 13, 2018
- Raja Azrina is the Information Security Advisor of PERNEC Integrated Network and System Sdn Bhd and has over 22 years combined experience in Telecommunications Technology working in ISP as well as Enterprise Systems and Network. She was instrumental in designing, implementing and auditing applications, systems and networks for customers in Critical Agencies. She co-founded the Malaysian Computer Emergency Response Team (MyCERT), former CTO for CyberSecurity Malaysia with vast experience in, digital forensics, cyber crisis management, as well as detection and mitigation of nationwide malware outbreaks.