A truism of cyber security is that cyber attacks only get more sophisticated over time, and so best-practice cyber defenses must continue to evolve, as well. In the last half decade, professional-class, targeted cyber attacks have become the new “normal” — the pervasive cyber threat that best-practice cyber-security programs must all address, in addition to myriad older, well-understood threats. Widespread understanding of targeted attacks has been slow to develop among security practitioners and the general public, in large part because attackers take great pains to remain invisible. Despite this, best practices have developed and are being applied routinely to address the risks posed by targeted attacks, both on corporate information technology (IT) networks and on operations technology (OT) control system or supervisory control and data acquisition (SCADA) networks. However, OT best practices differ sharply from IT best practices.
Most of us have experienced a malware-infected computer. High-volume malware, by definition, seeks to compromise millions of machines. These attacks generally harvest personal credit-card and banking credentials, and may use compromised equipment as part of for-hire distributed denial of service (DDoS) attacks or spam-sending botnets. Targeted attacks are the very opposite of high-volume malware in many ways; they are low volume and slow, operated manually by professionals with a specific target in mind (see sidebar).
HOW DO THEY WORK?
Targeted attacks entered popular awareness as so-called advanced persistent threat (APT) attacks but have evolved into remote administration tool (RAT) attacks with a wide range of attack features, including the ability to execute commands remotely, download new versions of themselves, and operate compromised machines with a user interface very similar to the popular Remote Desktop tool. Once established on a corporate network, powerful RAT malware is controlled by a professional team in an environment very much like that of a typical 9-to-5 job.
Targeted attacks traditionally begin by compromising the corporate network of a specific organization. This often starts with reconnaissance on employees’ social networks to create very convincing e-mails that trick victims into running malware attachments, or with more traditional attacks on Web servers exposed through Internet-facing firewalls. Attackers selectively deploy implanted malware to evade anti-virus systems, because vendors of such systems generally produce a signature for a new piece of malware only when they see thousands of copies of it on decoy honeypot servers. There typically are no anti-virus signatures for malware that exists on only a few machines in the world.
Professional attackers also harvest passwords and password hashes (i.e., Microsoft Windows data structures used to identify logged-in users between machines in a domain). Having obtained domain administrator credentials, they create their own accounts and passwords, and so no longer need to attack software vulnerabilities or guess weak passwords. The attackers simply log into and operate their targets remotely using their new credentials.
Targeted RAT attacks have proven extremely effective at defeating long-standing IT security practices, including firewalls, encryption, anti-virus systems and security update programs. Worse, RAT techniques are well known. Every intermediate- or advanced-level security training program teaches them. And all legitimate penetration testers use these tools and techniques when examining the security of a client site.
DIFFERENCES IN BEST PRACTICES
IT network best practices for protecting against targeted attacks are well documented but ineffective at protecting control system networks. This primarily is due to IT network administrators being concerned with protecting valuable data by deploying intrusion detection systems, data-exfiltration detection and prevention systems, and advanced forensics technologies in hopes of identifying compromised computers and stopping attacks before serious data loss occurs.
On the other hand, OT network administrators are concerned with the possibility of cyber sabotage, including facility shutdowns, equipment damage, ransomware attacks (i.e., ones that require payment to regain proper functionality)and, most importantly, risks to workers, the public and environmental safety. However, targeted RAT attacks focused on cyber sabotage leave very different footprints than data-exfiltration attacks. Cyber-sabotage attacks involve comparatively small amounts of data, little of which can be flagged as “sensitive” by data-exfiltration prevention systems.
Additionally, the focus on safety and reliability means that OT networks are managed very differently than IT networks. The IT approach of constant change to “stay ahead of the bad guys” is a poor fit for control system networks in which every software change is a potential threat to worker and public safety. That risk prevents aggressive anti-virus signature and security update programs from being deployed. This certainly doesn’t mean the security vulnerabilities of OT networks are less concerning. Rather, because the vulnerabilities are so difficult to correct promptly, OT network best practices put more emphasis on physical and cyber perimeter protections than do IT networks.
ALTERNATIVE CYBER-SECURITY MEASURES
OT best practices have embraced hardware-enforced unidirectional security gateways, which permit information to flow from plant networks to corporate networks but are physically incapable of sending any information, directly or indirectly, back into control system networks. The gateways, by definition, defeat all online attacks originating on corporate networks or the Internet, including corporate insider attacks, virus and botnet propagation, and professional-grade targeted attacks. When penetration testers using targeted attack techniques discover one of these gateways at a site, their immediate response is to try to find a network path around the gateways because they know that, unlike with firewalls, there’s no way through.
Variations on unidirectional security gateway technologies exist, as well. For example, many chemical manufacturers run sophisticated simulations and production optimization programs on corporate networks and frequently must feed information from these applications into control networks. Reversible unidirectional “flip” technology (Figure 1) allows disciplined and controlled information flows back into control system networks, without introducing the vulnerabilities that always accompany firewall deployments or bidirectional communications channels upon which targeted attacks rely.
When deployed as recommended, unidirectional security gateway technologies and their variants are physically incapable of supporting interactive remote-control data flow. OT best practices, as documented in everything from the International Society of Automation, International Electrotechnical Commission and North American Electric Reliability Corporation Critical Infrastructure Protection standards, to U.S. National Institute of Standards and Technology, U.S. Department of Homeland Security and European Network and Information Security Agency guidance, are all pointing to unidirectional security gateway technologies as stronger-than-firewall cyber-perimeter protections for OT control-system and safety networks.
A decade ago, IT and OT practitioners struggled with the question of why IT and OT networks should be managed differently if they consisted of nearly identical computer, networking and operating system components. More recently, OT security practitioners have grappled with the question of software protections for safety systems. If all software has vulnerabilities, why is it reasonable to depend upon software alone for safety and reliability?
A consensus now has emerged: safety is the difference between IT and OT networks. Targeted attacks are the new normal, and professional-grade attackers can compromise any software, including firewalls. Documented OT best practices have evolved to recommend that defense-in-depth protections for the most-sensitive control system networks include at least one layer of hardware-enforced unidirectional security gateway protections, in addition to multiple layers of software protections.
COMPLACENCY ISN’T AN OPTION
Five relatively recent attacks point up the potential risks faced by industry, including chemical companies:
Stuxnet integrated several previously theoretical control-system attack techniques into a sophisticated, targeted attack tool credited with destroying 1,000 to 2,000 Iranian uranium gas centrifuges.
Night Dragon demonstrated that even the largest well-defended oil and gas companies fall prey to targeted attacks.
Shady RAT compromised dozens of institutions and highlighted the role of RAT software and interactive remote control in professional-grade attacks.
Shamoon was simple malware that erased 30,000 computers on one corporate network and raised widespread concerns of cyber-sabotage attacks jumping through firewalls to OT networks.
Havex gathered information at dozens of sites from OPC servers, which are direct interfaces to low-level control system equipment, raising concerns that a well-funded Russian group is preparing for cyber sabotage.
ANDREW GINTER is vice president of industrial security for Waterfall Security Solutions, Calgary, Alberta. E-mail him at Andrew.email@example.com.