A powerful malware, dubbed Triton or Trisis, which allows hackers to gain remote access to energy facilities’ safety systems, has reportedly been accidentally leaked online for anyone to download. The malware is considered by some experts to be a next-generation cyberweapon and has already been used in December 2017 to shut down an oil and gas facility in the Middle East.
According to research from multiple cybersecurity firms including FireEye, Dragos, Symantec and Trend Micro, the malware is likely created by a nation-state and targets safety systems of industrial control systems (ICS). Triton specifically targets the safety instrument system (SIS) produced by Schneider Electric’s Triconex.
Triton can reportedly allow hackers to dismantle safety systems that can lead to the breakdown of machinery or even cause explosions. Quoting three anonymous sources, Cyberscoop reported that the malware’s framework was inadvertently posted to VirusTotal inadvertently by Schneider Electric. The malware has reportedly been publicly available since 22 December and could even have been downloaded by anyone.
How does such dangerous malware accidentally leak online? Someone was either extremely careless, or there was nothing accidental about this at all.
Successful attacks against critical infrastructure operators may very well prove devastating in the event of an actual global military conflict. Malware like Triton and others are not just used for gaining access to systems, but are military-grade tools developed by nation states.
More details about ransomware damage cost predictions for the 5 year period will be revealed in a report that Cybersecurity Ventures intends to publish in 2018.
Two cybersecurity specialists, Eddie Habibi, CEO of PAS and Edgard Capdevielle, CEO of Nozomi Networks share with us their predictions ICS Security in 2018.What does 2018 hold for ICS cybersecurity?
Expect to see more comprehensive ICS cybersecurity policies offered.
Edgard Capdevielle, CEO of Nozomi Networks outlines his predictions for ICS cybersecurity in 2018.
Organizations grappling with ICS cybersecurity staffing and skills shortages are turning to AI solutions to achieve security and productivity goals.
The shortage of ICS cybersecurity skills will open the door for vendors to provide full security services.
ICS Insecurity Will Manifest Itself – Organizations are nowhere near as ready to combat critical infrastructure threats and will realize many truths: they don’t have a clear understanding of what assets they own; proper ICS cybersecurity hygiene is much harder to achieve than in IT networks; air-gapping is a fallacy; and organizations don’t possess the necessary personnel skills, their teams aren’t talking to one another and they aren’t currently monitoring their networks the way they should.
According to a review of publicly accessible ICS hosts, a staggering 91.1 percent likely belong to large organizations and have vulnerabilities that can be exploited remotely; 3.3 percent of the hosts contain remotely exploitable vulnerabilities that are considered critical.
One report, “Industrial Control Systems Vulnerabilities Statistics,” carried out by the company’s Security Services team, takes a comprehensive look at industrial control system security throughout the 2015 calendar year, breaking down all 189 ICS vulnerabilities dug up in 2015. While it may seem like there’s been an influx of ICS bugs over the last 12 months, the figure is actually more or less in line with statistics from the last few years and comes in just three bugs fewer than the all time high of 192 discovered in 2012.
The number 189 vulnerabilities does mark a tenfold increase from 2010 however, when only 19 vulnerabilities were identified.
In my experience, this is not out of the ordinary, although the Operational Technology community is warming up to the idea they need cyber security controls to prevent bad things from happening. There are just too many successful ICS cyber attacks for the older, less savvy OT people to continue to keep their heads in the sand.
Hackers have been breaking through a lot of government agency’s defenses these past years, and DARPA thinks it’s high time to do something about it. Pentagon’s mad science division has launched a new program called Rapid Attack Detection, Isolation and Characterization (RADICS), which aims to develop innovative technologies that can quickly detect and respond to cyber attacks. Not just any cyber attacks, though: RADICS was specifically created to deflect security threats on critical infrastructures in the US, especially those that are vital to the Department of Defense’s missions. The agency likely wants to make sure the government can quickly detect and fight off terrorists and/or hackers trying to switch off the country’s electricity or transportation systems.
The Industrial Control System Cyber Emergency Response Team (ICS-CERT) released an alert late last week and patches are currently being validated according to ICS-CERT and researcher Aditya K. Sood, who gave the DEF CON presentation. Sood said the alert came as a result of his talk in Las Vegas where he described the flaws in Schneider Electric’s Modicon M340 PLC Station P34 Module human machine interface (HMI) software. HMIs provide infrastructure operators with a visualization of the automation environment and allow admins to manage controls from a single screen or screens.
The vulnerabilities affect the modules that support the Factory Cast Modbus feature.
“[The alert] is based on my DEFCON talk but there are high chances that attackers could have been exploiting these vulnerabilities for some time now,” Sood said.
Sood disclosed vulnerabilities and provided Schneider with proof-of-concept code for two remotely exploitable vulnerabilities, and a related locally exploitable flaw. One of the flaws is a hard-coded credential found in the software that ICS-CERT told Sood had already been reported to them. Sood said it is unknown whether the hard-coded password has been removed since there was discussion of deploying a patch that would disable the affected FTP login.
At Def Con 23, Marina Krotofil, senior security consultant at the European Network for Cyber Security, and Jason Larsen, principal security consultant at IOActive, presented Rocking the pocket book: Hacking chemical plants for competition and extortion; you can grab a copy of their presentation (pdf) and slides (pdf) as the duo delved into a complete attack, from start to finish, on a simulated plant for Vinyl Acetate production. Pulling off an operational technology hack that affects a physical thing in the real work is an extremely complex process with many stages that range from learning to leaving false forensic footprints to get away with the attack.
Cyber-physical attacks “go through several stages before the evil goals can be achieved;” most attackers have no idea about the complete process and how to manipulate it. If an attacker remotely tweaked one thing, turned a valve for example, how would that affect something else like reactor temperature? “Cyber attacks on process networks may allow the attacker to obtain sensor readings, to manipulate sensor measurements sent to controllers and instructions sent to actuators. To appreciate the effect of such manipulations the attacker has to understand the physical part of her target.” You need only look at one of several diagrams to grasp how much an attacker would need to understand.
“Blindly trying to destroy a process by overheating a tank will probably only result in exercising the emergency shutdown logic and the pressure relief valves,” they explained. When an attacker goes searching for answers, they likely understand the technician’s documentation but they also need to under the harder version – the engineer’s answers.
Intel Security and the Aspen Homeland Security Program said they polled IT decision makers representing 625 critical infrastructure organizations, with an average 12 years of security experience, including 250 in the United States, and 125 each from France, Germany and the United Kingdom.
The critical infrastructure providers surveyed are pleased with the results of their efforts to improve cybersecurity over the last three years. At the same time, almost three quarters (72 percent) said that the threat level was escalating. Almost half (48 percent) believed a cyberattack on critical infrastructure, with possible human physical casualties resulting, could occur within the next three years. Most of those who had experienced a cyberattack, 59 percent, said their facilities had already sustained some sort of physical damage stemming from such an attack.
Increasingly critical infrastructure providers looked to more cooperation between public and private sectors to blunt cyberattacks, with 86 percent believing cooperation on infrastructure protection is critical to successful cyber defense. Additionally, the survey found 68 percent believed their government can be a valuable partner in cybersecurity.
They also believed government should respond to attacks on critical infrastructure providers. According to the survey, 67 percent of respondents said a national defense force should respond when a cyberattack damages a critical infrastructure company within national borders.
“Vulnerable versions of Vera and Wink could be attacked through HTTP requests,” Young added. “These requests may come from a malicious web page (as demonstrated at IID on the Vera), a phone app on the LAN, or a malicious user on the LAN directly connecting to the vulnerable device. In the case of Vera, the attacker can directly supply commands to run on the Vera’s embedded operating system. In the case of Wink, the attacker would inject SQL commands to trick SQLite into creating a PHP script on the device. A subsequent request can then trigger execution of the PHP code with root permissions.”
The SmartThings hub had the least serious vulnerability as it was vulnerable to improper certificate validation. The holes in both SmartThings and Wink were patched, but that means the user must apply the patches. In the case of SmartThings, a mandatory update was pushed out in February. A spokesperson said, “Any inactive hub that was not updated, cannot connect to the SmartThings service and is automatically redirected to an update server.”
As the Internet of Things evolves over the course of the next few years, expect to see a lot more vulnerabilities exposed as the manufacturers creating these devices are not including security in the design stages of their products. IoT increases the cyber attack surface and will be a huge platform malicious actors – likely cyber criminals – will attempt to leverage to gain access to private data for nefarious purposes.
For example, “most” Navy and Marine Corps industrial control systems (ICS) “have very little in the way of security controls and cybersecurity measures in place,” according to government documents identified by the GAO.
That leaves many installations exposed to a “cyber-physical effect” attack that could cause the “physical destruction of utility infrastructure controlled by an ICS,” the GAO said.
An example of a successful cyber-physical attack through an ICS was the “Stuxnet” computer virus that was used to attack Iranian centrifuges in 2010. By hacking the Iranian nuclear facility’s ICS, the centrifuges were made to operate incorrectly, causing extensive damage.
“According to DoD, the same type of ICS can be found in the critical infrastructure on numerous DoD installations,” which means “the military services’ ICS may be vulnerable to cyber incidents that could degrade operations and negatively impact missions,” the GAO report said.
In addition to shutting down the basic water and electrical systems at a military base, the ICS vulnerabilities “could be used as a gateway into the installation’s information technology system or possibly DoD’s broader information networks,” the report said.
Last year, a Pentagon order required the military services to identify and secure these computers, but military installation officials said meeting the 2014 deadline was impossible and asked to extend the deadline to 2018, according to the GAO.
Plans for upgrading the military ICS systems remain in the early stages; none of the services has a full and accurate inventory of the ICS systems on its installations, according to the GAO.
This is one area that scares me more than any other when it comes to military cyber security posture. Very few people within DoD know much of anything about industrial control systems, much less how they are connected to the networks, and the vulnerability baggage attached with these unnecessary connections.
As Henry Farrell observed in his CFR Cyber Brief on promoting norms in cyberspace, “U.S. policymakers argue that the United States and others need to build norms to mitigate cybersecurity problems.” Addressing cyber threats to U.S. critical infrastructure, Admiral Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, asserted, “We have got to develop a set of norms or principles in this space.” Such emphasis on developing norms suggests that norms do not exist. However, cyberattacks by state or non-state actors against critical infrastructure are illegal under international law. In short, we have lots of norms, rather than a shortage of them.
In terms of criminal activities against critical infrastructure, the Council of Europe’s Convention on Cybercrime provides substantive and procedural rules that support states parties’ responses to such activities. The International Convention for the Suppression of Terrorist Bombings applies to attacks against infrastructure facilities through weapons or devices that can cause death, serious bodily injury, or substantial property damage, which can encompass cyberattacks by terrorist groups. A cyberattack by a state that damages critical infrastructure in another state would violate the international legal principle of non-intervention and, if sufficiently bad, might violate international law’s prohibition on the use of force.
More than 70 percent think the threat to their organizations is escalating. Almost 9 out of 10 experienced at least one attack in the last three years that caused some damage, disruption, or data loss, with a median of close to 20 attacks per year. Forty-eight percent believe it likely to extremely likely that a critical infrastructure cyber-attack will result in human fatalities in the next three years.
While they continue to look at further investment in various security areas, the vast majority think that greater cooperation and public-private partnerships with national and international agencies are important to keep pace with the escalating threat landscape.
What form would these joint activities take? Well, the top rated suggestions were joining a national or international defense council to share threat intelligence and defense strategies, taking coordinated direction on cyber defense, or even national legislation that requires cooperation with government agencies. The majority of respondents felt that their own government as well as international agencies could be valuable and respectful partners in cybersecurity, and many were open to sharing network visibility if it was deemed vital to national or global cyber defense.
However, one caution was that more than three-quarters of the security professionals supported the use of national defense forces to retaliate in response to a fatal critical infrastructure attack within the country. Given that only a third think that nation-state security services are behind the serious attacks on their organization, identifying a target for retaliation is problematic. Even if a nation-state is responsible, how do you conclusively determine the source of the attack, when it is using code borrowed or bought from organized crime in one country and servers spread across 5 other countries?
While 80 percent of survey respondents believe cybersecurity is “either greatly or extremely concerning,” most also believe they’re prepared for an eventual cyberattack. Twenty-seven percent of respondents feel “very or extremely vulnerable” today, whereas three years ago, half of respondents felt that way.
More than 600 IT professionals from critical infrastructure organizations participated in Intel’s survey. A majority live in the U.S.
Raj Samani, VP and CTO of Intel, told SCMagazine.com that this confidence could stem from critical infrastructure attacks not being top of mind, as they might have been three years ago. But for him, the results definitely seem to communicate an overconfidence among IT security professionals.
He especially emphasized this point given that 90 percent of respondents experienced at least one attack on secure systems, and the average came out to nearly 20 attacks per year. In most cases, these virtual attacks resulted in physical damage. Thirty-three percent ended in service disruption, and more than 25 percent allowed data to be compromised.
Seems like a lot of people are quite overconfident in their ability to withstand a cyber attack. Is it due to ignorance or actual belief their security controls are capable of preventing an attack.
I especially like how the article ended with this nugget of truth:
With this in mind, Samani reminds that most frequently, human error represents the biggest misstep in cybersecurity defenses, and for that reason, he suggests moving beyond code to address the human element in cyberattacks.
Igor Baikalov, chief scientist at data analytics firm Securonix, is nevertheless concerned. He told us if the Department of Homeland Security and the Federal Bureau of Investigations are ruling out a cyberattack as the cause of outages at United Airlines, the NYSE, and the WSJ — all happening in the span of a few hours on Wednesday morning — then our technological foundation is in a really bad shape.
“It’s our critical infrastructure we’re talking about. To have vital transportation, financial, and media companies, that are heavily dependent on technology, experience disrupting ‘glitches’ in their busiest hours is something that only global war game scenario can envision,” Baikalov said. “It’s just not something that one plans for in real life.”
NYSE President Tom Farley said an SEC (U.S. Securities and Exchange Commission) software update that morning could have triggered the outage. With that in mind, Baikalov asked a pointed question: Was it really that much cheaper to deploy system-wide changes right before the opening bell, and bring the whole thing down, than to execute a careful deployment overnight, with sufficient time for testing and reversing the changes if needed?
“I mean, these are serious companies with smart people doing expensive stuff — it’s not some low-life Internet of Things — how could the basic principles of information security be so ignored? Perhaps,” he said. “I stick with the conspiracy theory of nation-state retaliation for the market crash — or alien invasion.”
He points to a the hack against the U.S. Office of Personnel Management (OPM), which was ongoing for a year before someone noticed. “Most hacks are never noticed unless purposely looked for — a time consuming, costly and tedious process,” he said, adding, “I truly believe that the upper management of most large corporations and most bureaucrats, directors and politicians within our world governments do not understand this basic truth of the cyber world.”
Furthermore, based on his own research, McAfee says, “The Dark Web was rife with communications among a small group of people (allegedly members of Anonymous) congratulating themselves on a job well done on Wall Street.”
Several tweets have surfaced from Anonymous cells on twitter, but none have claimed responsibility.
He explained that the “mission-critical systems” of major corporations and governments have communications, power, processing and storage redundancies built in that allow for a seamless “hot swapover” to keep them running if one part of the system is incapacitated.
“The odds of failure of three systems like this, simultaneously, are in the trillions to one,” he said of the NYSE, United Airlines and Wall Street Journal incidents.
It is a bit coincidental and I do not generally believe in such coincidences. However, I need to see some specific data to see if there is a connection between these seemingly disparate outages. While I will not discount the possibility they were cyber attacks, or that they were coordinated, at this point I find it hard to believe.
But what if the big attack on America is one in which our military can’t defend us at all?
More and more, that seems not only like a possibility, but a probability.
In fact, we’ve seen some dress rehearsals for this kind of war recently.
What this means is that enemies are prepared, willing and able to exploit vulnerabilities of our civilian government infrastructure to avoid a direct head-on confrontation with our strength – our fighting forces.
It has come recently in the form of a devastating, albeit limited, cyber-attack by China in which this privileged trading partner and recipient of hundreds of billions in direct U.S. government aid exploited Washington’s negligent, virtually non-existent digital security policies to score perhaps the biggest intelligence asset in the history of the world – the names, addresses, Social Security numbers and background information on every single U.S. government employee, civilian and military, in the U.S.
It was a breathtaking and astonishing attack, albeit, given the U.S. government’s sheer incompetence, it was more like a surrender than an ingenious triumph by an enemy.