Despite high-profile attacks, there is still a lack of IT security in key public infrastructure. We ask if it will take a major meltdown to prompt governments to take action.
It is almost a year now since the attack on the control system of an Iranian nuclear reactor by the Stuxnet virus. However, despite this ominous development and recent reports that the threat of attacks has increased, a worrying amount of vital public infrastructure is still vulnerable.
Cyber-attacks are currently the single greatest threat to national security with many countries placing it at the forefront of their defence planning. Critical civilian infrastructure that depends most heavily on industrial control systems – such as power, water, oil and gas – is still under threat from cyber-attack, despite the increased security following Stuxnet. 'If you can't deal with a zero-day attack coming from a thumb-drive you have nothing,' former director of central intelligence Jim Woolsey says.
According to a recent report conducted by IT security specialists McAfee and the Centre for Strategic International Studies (CSIS) – an organisation that drafted US President Barak Obama's cyber-security strategy – vulnerabilities are also still growing. The report states that '40 per cent of executives believed that their industry's vulnerability had grown over the past year'.
Another report, from the Ponemon Institute, claims that 75 per cent of global energy organisations they polled admit to having suffered at least one data breach in the past 12 months. 'One of the scariest points that jumped out at me is that it takes on average 22 days to detect insiders making unauthorised changes, showing just how vulnerable organisations are today,' Dr Larry Ponemon, founder and chairman on the Ponemon Institute, says. 'These results show that energy and utility organisations are struggling to identify the relevant issues that are plaguing their companies from a security perspective. They have to bridge the gap to operations and IT, and make IT security a top priority within the organisation.'
'It is definitely a clear and present danger,' says Sal Viveros, security expert at McAfee. 'The number of attacks facing these types of companies is pretty large, with one in four of the companies that we spoke to having been a victim of extortion. We are seeing cyber-criminals trying to blackmail these people; apparently hundreds of millions of dollars have been extorted from US companies. This is really the biggest untold story about cyber-crime. That percentage is pretty high and that's only those who are willing to go on record and admit it.'
What is Stuxnet?
According to Eric Knapp, director critical infrastructure markets at NitroSecurity, the Stuxnet virus itself is a remarkably sophisticated form of malware, which has two characteristics that demonstrated the growing threat of cyber-attacks.
'First, it had no obvious criminal payoff,' he says. 'It was designed for sabotage and sabotage alone. It infects computer systems by exploiting a number of vulnerabilities on Microsoft Windows. Uploaded to the computer through, among other things, a USB drive, shared network files, or SQL databases, it targets a specific Siemens SCADA program.'
If this software is running, Stuxnet looks for a particular configuration of industrial equipment and then launches an attack designed to manipulate certain microcontrollers to perform erratically while reporting normal functioning to operators of the system.
'This is sabotage pure and simple,' Knapp adds. 'Stuxnet was a weapon; it was someone who tried to target a Scada system to cause actual harm, rather than to take control or extract information.'
There is no easy way to use the malware either for espionage or for extortion. It has been widely speculated that Stuxnet was aimed at infiltrating Iran's heavily protected Natanz facility for enriching uranium. The delicate centrifuges at Natanz are crucial for Iran's nuclear weapons programme, and they have suffered numerous unexplained failures since Stuxnet was launched.
Second, Stuxnet was an extraordinary advance in sophistication over the kinds of malware used by the criminal underground. The Belarusian security firm that initially identified Stuxnet at first believed it to be a backdoor for hackers. But closer inspection revealed the complex nature of the virus. It featured: multiple exploits that were previously unknown; Microsoft Windows driver modules that signed using genuine cryptographic certificates stolen from respectable companies; about 4,000 functions; and advanced anti-analysis techniques to render reverse-engineering difficult.
'It is almost certainly the work of a government, not a criminal gang,' Knapp says. 'Stuxnet is, in short, a weapon. It is a concrete demonstration that governments will develop malware to sabotage their adversaries' IT systems and critical infrastructure. It also shows that hostile governments can easily target the Scada systems on which a nation's power, gas, oil, water and sewage systems depend, defeating the defences upon which most companies rely.'
No connect between IT and control
One of the chief concerns, which Ponemon touched on earlier, is that the integrations between enterprise and control systems has not been matched by an awareness of the security issues. 'A big problem that the information security systems have is that the IT world and the control systems are entirely different,' Knapp adds. 'It is certainly true in the case of personnel and their wealth of expertise, but it is also true to the systems themselves.
'Most IT monitoring solutions can't understand what is going on in the control system so it is very difficult to collect information and to analyse that information in any sort of intelligent manner. For example, if you were on an Ethernet network and you could use a programme to monitor the traffic, you can decode it and look into applications because it is all fairly standard. In a control system, however, a lot of it is still personalised data protocols, and if you want to put a probe into place you can't because the last thing you want to do is introduce a variable into a well-defined system that could cause some disruption to the server.'
Even though these vulnerabilities are well recognised by power companies they are adding greater risk by implementing 'smart grid' technologies. These technologies will give individuals more control and access to IT infrastructure.
'Without better security, this increased control can fall into the hands of criminals, giving them the ability to modify billing information and perhaps even control which customers or appliances get electricity,' Woolsey says. '90 to 95 per cent of the people working on the smart grid are not concerned about security and only see it as a last box they have to check.'
'We believe that the smart grid is not so smart,' Viveros adds. 'You are giving more and more access to individuals and also appliances so the control is being taken away for a central resource. Those types of systems are often not hardened; their focus is not on security but being able to manage things efficiently. If security isn't built in at the beginning there will be risk.
Life after Stuxnet
Knapp argues that the Stuxnet threat has heightened awareness. 'I think that since Stuxnet the attitude towards protection has changed considerably,' he adds. 'Everybody is looking at that worst-case scenario now. Someone successfully hacked in or successfully delivered malware that actually sabotaged a process, and there is nothing to stop that from happening again. Therefore people are now looking for things and usually if you are looking, patterns are quite easy to find. This is especially true in a manufacturing environment because automated processes are very well defined and most often also extremely well timed. If there was any sort of abnormal behaviour it would stand out very quickly.
'If a process is defined so that something happens in exactly the same way every single time, if some integration changes it has to be rectified pretty quickly. So if the security people can look at what is happening in the operational environment it would be relatively easy for them to spot evidence that something has happened. Predicting that something is about to happen is completely different.'
The emergence of Stuxnet points to an overriding need for critical infrastructure companies to acknowledge the changes in the cyber-threat landscape. It is clear that they need to focus attention not only on denial-of-service attacks, but also on more sophisticated threats, like stealthy infiltration from state-sponsored actors or cyber-extortionists.
'The days of having an anti-virus programme on your system and thinking you are protected are long gone,' Viveros says. There are plenty of technologies available to protect every entry point that these organisations need to look into, but a clear consensus is that application control is vital. If you know exactly what is running on each system you can ensure that nothing else is on that system – this makes it impossible for people to access the system via USB. The age of the firewall it seems is over. 'Firewalls have been used in the past, but now with Port 80 open to use various web applications you need application control as well,' Viveros adds.
'One barrier to closing this vulnerability and minimising the risk is the fact that organisations are not prioritising IT security,' Ponemon says. 'In fact, physical security budget is about nine times the physical security budget. There is also the fact that it is clear that preventing downtime is more critical than stopping an attack.'
With the talk of further attacks imminent and an admission from Siemens that they have failed to plug the holes – this was amply demonstrated by the company's request that NSS labs cancel a talk at a recent conference where they were due to explain how an attack could occur – urgent attention is required. The solution would be to make IT security a strategic initiative across every enterprise, but with finances stretched it may take another Stuxnet-like intrusion to trigger that change in emphasis. *