“The enemy is in the wire.” During the Vietnam War, this call would ring out to alert everyone that the enemy was in the perimeter of fortifications. In our cyber world, we’ve known this for years; however, the call rang frighteningly true in May of this year.
This particular enemy was first discovered in August 2017, as a new piece of malware, now known as Trisis. A Middle Eastern oil and gas company found the malware when its industrial equipment started shutting down.
This company, which to date has not been named, called Saudi Aramco to help investigate software found on some of its computer systems. Together with experts from Mandiant, they discovered a new cyber weapon with echoes of Stuxnet, which was used to attack and disable Iran’s uranium enrichment plant by making centrifuges spin at self-destructive speeds.
This new cyber weapon, however, was not designed to directly destroy a piece of equipment. It was designed to degrade what is known as a safety instrumented system, commonly used to monitor systems in nuclear power plants and oil and gas refineries. If Trisis had worked, the equipment would have gone past redline, creating catastrophic damage and potential loss of life. However, the creators of Trisis made a mistake, and the safety systems worked to shut down the equipment.
Now fast forward to May 2018. Researchers at startup Dragos announce that Trisis has been modified, infecting other safety instrumented systems. The shocking part is that this version of Trisis wasn’t found in Middle East industrial systems, but in industrial systems inside the United States. The enemy is now truly in the wire.
What would happen if an industrial control system (ICS) were attacked and destroyed? We don’t have to speculate. In December 2015, the Ukrainian power grid was disabled by malware called Crash Override. The Ukrainian grid was compromised by a phishing attack that originated in the IT system and jumped into the operational technology (OT) system. Researchers believe it was part of the Russian campaign to annex the Crimean Peninsula. That’s a real-world example. But long-term outages will lead to consequences that the civilian population of a modernized country can’t handle well, according to the Defense Science Board Task Force on Resilient Military Systems and the Advanced Cyber Threat report.
Taking out the grid would be painful, but the grid can be brought back online. To really cripple large parts of the US, enemies could target our massive electricity-producing generators, which are made in China and India. Electric companies don’t keep spares on hand, and it can take a year to build one. In World War II, we started bombing the factories instead of going after the finished planes on runways. If you take out the means of production, the rest goes downhill rapidly. If the generators are destroyed by compromising safety instrumented systems, it would indeed go badly for the population.
For example, in the many months it would take to get replacements from China or India, food and medicine distribution systems would become ineffective. Grocery stores typically only keep enough food on hand for three days. Without power, air conditioning and heat will not work, which can be deadly to the young and elderly. Traffic systems would be disabled, causing gridlock and preventing needed supplies and help from reaching those in need. Law enforcement and emergency personnel capabilities would be barely functional in the short term and become dysfunctional over sustained periods. Our military would have to be diverted to help the homeland civilian population. If timed right, a nation-state would be able to take advantage of allies that depend on US military support for their defense. The end results are truly dire.
Because of this scenario, the US government is taking strategic steps to help counter the threats to the nation’s critical infrastructure. The Department of Homeland Security has a program called the Apex Next Generation Cyber Infrastructure, which according to its website, “addresses the challenges facing our nation’s critical infrastructure sectors, enabling infrastructure to operate effectively, even in the face of sophisticated, targeted cyberattacks.” Similarly, the Department of Energy (DOE) in March 2018 released its Multiyear Plan for Energy Sector Cybersecurity, detailing its own cyber strategies. Both are long-term efforts; the DOE plans will be fully in place in four years.
Meanwhile, there are near-term things that can be done to improve the security of industrial systems:
- A full accounting of what is on OT and IT systems should be done first, to identify what is present, how the identified systems are configured, and how they can pass data throughout the network.
- Then organizations can identify ICS and network devices that should be decommissioned and replaced with new and more secure devices.
- Next, organizations should implement network segmentation, where possible.
Obviously, this is not foolproof, but it does add more complexity that attackers must overcome in order to compromise an ICS. More time could lead to them being caught before they can compromise anything.
This is intensive work, but it is work that must be done in order to determine what is most at risk. Companies can and should take steps to make their OT and IT systems resilient. What is a resilient system from a cybersecurity perspective? It is a system that is hard to hit, can detect incidents immediately, and can respond rapidly. The foundation for resilience is first knowing your environment completely.
Wayne Lloyd has over 25 years of field experience in information technology, with the last 15 years directly focusing in cybersecurity, including computer and network security, advanced threat analysis, intrusion detection and operations, vulnerability risk assessment, and … View Full Bio