Cyberthreats to critical infrastructure jumped into the headlines in 2017, starting with a Reuters report in January that a recent power outage in Ukraine “was a cyber-attack”. In last year’s Trends report we said that we expected infrastructure attacks to “continue to generate headlines and disrupt lives in 2017”. Sadly, we were right, and unfortunately, I have to say that the same trend is likely to continue in 2018 for reasons outlined in this update. It should be noted that critical infrastructure is more than just the power grid and includes the defense and healthcare sectors, critical manufacturing and food production, water, and transportation.
Turn it off and on again
Let’s look at how things have progressed over time. In late December of 2015, cyberattacks on Ukrainian power companies resulted in electricity service being turned off for several hours to hundreds of thousands of homes in that part of the world. The first article published by ESET researchers in 2016 (on this incident) was Anton Cherepanov’s analysis of Black Energy, the malicious code used in that cyberattack. That specific malware did not directly manipulate Industrial Control System (ICS) devices, but it enabled hackers to penetrate the networks of electricity distribution companies and kill software used by ICS equipment. Press reports then – some with eye-grabbing headlines like “Malware turns off the lights” – did not make that distinction clear.
The attack in late 2016, first reported in January of 2017, was quite different, as ESET researchers Anton Cherepanov and Robert Lipovský reported on WeLiveSecurity. Their analysis described a new piece of malware that is capable of controlling electricity substation switches and circuit breakers directly, in some cases literally turning them off and on again (which can severely disrupt supply at this scale).They dubbed this malware Industroyer and made a very strong case for it being the biggest threat to industrial control systems since Stuxnet. When they presented their malware analysis at Black Hat USA 2017, the room was packed and you could have heard a pin drop.
Industroyer’s implications for the future of critical infrastructure threats are worrying to say the least, as you can tell from the tone of this interview with Robert Lipovský. The industrial equipment that Industroyer targeted is widely used (well beyond Ukraine – for example in the UK, EU, and the US – and across multiple critical sectors). Furthermore, a lot of ICS equipment still in use today was not designed with internet connectivity in mind, making any retroactive protective measures challenging to implement.
Of course, many of the organizations that currently operate critical infrastructure are working hard to secure it. ESET’s research further suggests that any future cyberattack using Industroyer would need to be tailored to specific targets. This may limit eventual outbreaks to well-funded attackers and impede widespread campaigns aimed at turning out the lights, crippling transportation, or halting critical manufacturing. However, it is not unusual for such conditions to change over time as attack code is refined and intelligence is gathered. In other words, the ability to carry out cyberattacks on the power grid will tend to increase through 2018 unless blocked by preemptive measures, like system upgrades, early detection of network probing, and drastic improvement in phishing detection and avoidance.
Infrastructure and supply chain
Unfortunately, simply upgrading old ICS equipment with gear that was designed with internet connectivity in mind will not automatically improve security. That is because, as Stephen Ridley, founder and CTO of Senrio (a company focused on the security of connected devices) points out: industrial devices are shifting from application-specific integrated circuits (ASIC) to a generic and cheaper System-on-Chip (SoC) architecture for which code libraries are readily available.
While producing cost savings, the newer approach introduces further weaknesses into the supply chain, such as chips with hard-to-patch vulnerabilities, and code re-use that introduces software vulnerabilities. Examples in 2017 are the Devil’s Ivy flaw found in over 200 different models of security camera made by Axis Communications, and the BlueBorne vulnerabilities that impacted several billion devices across the most popular platforms: Windows, Linux, iOS and Android. Forecasts are that more such examples will still be discovered in 2017, and beyond 2018.
A different type of supply chain problem made headlines in 2017, in part because it affected the entertainment industry. While arguably not critical infrastructure, this sector learned some lessons in 2017 that are of value to the truly critical parts of the economy. The attempted extortion of Netflix over the “Orange is the New Black” TV series, and the unrelated digital theft of the latest installment of the Pirates of the Caribbean movie franchise both point to worrying aspects of supply chain security.
While many large companies appear to be taking cybersecurity much more seriously these days, with security teams getting both the budget and the C-level backing required to do a good job, many smaller businesses supplying goods and services to larger organizations are struggling. That makes them an attractive target if, for example, they happen to have a blockbuster sitting on their post-production audio processing systems, which happen to be connected to their office network, and whose users have not been trained to recognize phishing emails.
2017 confirmed that security weaknesses at those smaller suppliers were shown to be an effective means to compromise large targets such as major motion picture producers. After several high profile cases made the news, I put together some advice on supply chain security, which is also relevant to organizations involved in critical infrastructure. After all, attackers may find it hard to hack into the network of a large utility company directly, but what if they hack the company that supplies janitorial services instead?
In the old days, we used to worry about the “evil janitor attack” in which an ethically challenged but computer-savvy janitor might obtain unauthorized network access while taking a break from cleaning offices on the night shift. While that threat has not entirely disappeared, it has been joined by the threat of a cyber-insecure janitorial supply firm connecting to power plant systems via a vendor services portal (for example) that is poorly segregated from the ICS network.
The implication? Critical infrastructure organizations need to keep improving their security in 2018, reducing the effectiveness of phishing attacks (still amongst the most prevalent attack vectors), segregating and controlling network access, reviewing and testing both old and new hardware and software, and doing digital due diligence on suppliers. They also need to watch for and react to the kind of network probing and surveillance that may presage a full-on cyberattack.